I don't want to see clear text password in debug mode
Dear, when I execute "freeradius -X" the daemon starts in debug mode. After that when a any user authenticate againts freradisu service, I can see in the screen something like this: [sql] expand: %{User-Name} -> roberto [sql] sql_set_user escaped user --> 'roberto' [sql] expand: %{User-Password} -> 123456 My password is encrypted with MD5 but it can be seen in the debug screen. Is there any way to disallow or masquerade the use's password in debug mode ??? Really thanks, Roberto
On 6 Aug 2013, at 19:49, Roberto Carna <robertocarna36@gmail.com> wrote:
Dear, when I execute "freeradius -X" the daemon starts in debug mode.
After that when a any user authenticate againts freradisu service, I can see in the screen something like this:
[sql] expand: %{User-Name} -> roberto [sql] sql_set_user escaped user --> 'roberto' [sql] expand: %{User-Password} -> 123456
My password is encrypted with MD5 but it can be seen in the debug screen.
*sigh* No. You have an MD5 hash of the password, the cleartext version is being sent from the NAS.
Is there any way to disallow or masquerade the use's password in debug mode ???
No. This would be difficult to implement, especially for SQL queries where the password value is inserted into another string to form the query. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
Hi,
My password is encrypted with MD5 but it can be seen in the debug screen. Is there any way to disallow or masquerade the use's password in debug mode ???
its debug mode. the entire purpose is to ensure that things are what they appear to be and silly things like, 'its doesnt work!' are found to be your password handling etc. the server knows the password is you are dealing with PAP or MD5 etc etc - thats the nature of such a server. why are you running in debug mode? you shouldnt for production systems - the server sees the same sorts of logs as ther daemons - if you dont run mailservers or web servers in full debugging mode you wouldnt know that. if you really dont like it then you can edit the source code to replace the print function with eg "***obfuscated***" or such and then hope that you never need to work with some obscure issue. you might also want to check what logging/detail logging you have on. a server can be configured to log good passwors to file and the detail.log module will be slapping the password into auth_log files if not told not to. this is also why you should be moving away from such passwords - challenge response style passwords wont give you this issue. alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Arran Cudbard-Bell -
Roberto Carna