On M
PostgreSQL datastore is logging passwords in plain text in the 'radpostauth' table for accepted and rejected requests. This is occurring even when 'auth_goodpass' and 'auth_badpass' are set to 'no' - which this looks to be only relevant to logging to radius.log.
Yes.
I could comment out '-sql' in the 'post-auth' section of the server or amend the queries.conf for sql to remove the password. However, for flexibility/simplicity I have looked into using unlang to suppress the attribute.
I would like to use the variable reference from radiusd.conf for auth_goodpass/auth_badpass to control whether the User-Password is suppressed ideally for efficiency.
The unlang is as follows in the 'post-auth' section of the default server:
if (${log.auth_goodpass}) { -sql } else { suppress { User-Password } -sql }
That won't work. You can't just invent syntax and have it do what you want.
This throws the below error:
/etc/freeradius/sites-enabled/default[919]: Parse error in condition /etc/freeradius/sites-enabled/default[919]: (${log.auth_goodpass}) { /etc/freeradius/sites-enabled/default[919]: ^ Expected a module return code
You have to check for a specific value: if ("${log.auth_goodpass}" == "yes") { ... You also can't use a "suppress" block in the middle of an unlang processing section. You have to use "update" to remove User-Password from the request: update request { User-Password !* ANY } Since the password isn't used for anything after post-auth, it's safe to delete it. Alan DeKok.