How to hide passwords in the log file?
Hi, Does anyone knows how to hide passwords in the log file? I have read some posts about this, but the solution was to edit source, something that I'm not able to do. I don´t know if the 2.1.6 version has been implemented any option to do this without edit source. This is my configuration in radiusd.conf log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes } I have no problems when users are authenticated by PEAP, because the log file doesn´t shows the passwords, but now, i want to configure a virtual server to work like tacacs+ on a Cisco ASA Firewall. The firewall supports only radius protocol and it sends passwords in cleartext (PAP), so the passwords are shown on the log, something i would like to avoid. I know that i could set auth = no, and then no authentication will appear in the log, but i need to keep this information to see if a user has logged in correctly or not. Another way to solve this problem could be (i dont know if it will possible), don't log the auth messages from this virtual server and keeping the auth information of other virtual server like radiusd.conf configuration. Thanks in advance.
Rokkhan wrote:
Hi, Does anyone knows how to hide passwords in the log file?
Turn off "auth_goodpass".
I have no problems when users are authenticated by PEAP, because the log file doesn´t shows the passwords, but now, i want to configure a virtual server to work like tacacs+ on a Cisco ASA Firewall. The firewall supports only radius protocol and it sends passwords in cleartext (PAP), so the passwords are shown on the log, something i would like to avoid.
Then... don't tell the serer to log them.
I know that i could set auth = no, and then no authentication will appear in the log, but i need to keep this information to see if a user has logged in correctly or not.
Or, set "auth_goodpass = no". This is documented. Alan DeKok.
Hi! I thought that, if I don't enable auth_goodpass, the correct authentications will not appear in the log, not that only the onyl thing that will not appear, will be the password. Ok, thanks for all, now i have set auth_goodpass = no, and the passwords are not shown in the log. Thanks for all! 2009/8/7 Alan DeKok <aland@deployingradius.com>:
Rokkhan wrote:
Hi, Does anyone knows how to hide passwords in the log file?
Turn off "auth_goodpass".
I have no problems when users are authenticated by PEAP, because the log file doesn´t shows the passwords, but now, i want to configure a virtual server to work like tacacs+ on a Cisco ASA Firewall. The firewall supports only radius protocol and it sends passwords in cleartext (PAP), so the passwords are shown on the log, something i would like to avoid.
Then... don't tell the serer to log them.
I know that i could set auth = no, and then no authentication will appear in the log, but i need to keep this information to see if a user has logged in correctly or not.
Or, set "auth_goodpass = no".
This is documented.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Rokkhan