Suppress radpostauth password logging with unlang variable reference
Hi All, PostgreSQL datastore is logging passwords in plain text in the 'radpostauth' table for accepted and rejected requests. This is occurring even when 'auth_goodpass' and 'auth_badpass' are set to 'no' - which this looks to be only relevant to logging to radius.log. I could comment out '-sql' in the 'post-auth' section of the server or amend the queries.conf for sql to remove the password. However, for flexibility/simplicity I have looked into using unlang to suppress the attribute. I would like to use the variable reference from radiusd.conf for auth_goodpass/auth_badpass to control whether the User-Password is suppressed ideally for efficiency. The unlang is as follows in the 'post-auth' section of the default server: if (${log.auth_goodpass}) { -sql } else { suppress { User-Password } -sql } This throws the below error: /etc/freeradius/sites-enabled/default[919]: Parse error in condition /etc/freeradius/sites-enabled/default[919]: (${log.auth_goodpass}) { /etc/freeradius/sites-enabled/default[919]: ^ Expected a module return code I have then attempted to set a variable called 'auth_good' as 'false' in the default server and referenced it as ${.auth_good} instead but encountered the same issue. If anyone has any advice on how to achieve this or where I am going wrong, it would be much appreciated. Kind regards, Sam FreeRADIUS Version 3.2.8 Copyright (C) 1999-2025 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT FreeRADIUS is developed, maintained, and supported by InkBridge Networks. For commercial support, please email sales@inkbridgenetworks.com https://inkbridgenetworks.com/ Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/dictionary including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/mods-enabled/ including configuration file /etc/freeradius/mods-enabled/always including configuration file /etc/freeradius/mods-enabled/attr_filter including configuration file /etc/freeradius/mods-enabled/chap including configuration file /etc/freeradius/mods-enabled/date including configuration file /etc/freeradius/mods-enabled/detail including configuration file /etc/freeradius/mods-enabled/detail.log including configuration file /etc/freeradius/mods-enabled/digest including configuration file /etc/freeradius/mods-enabled/dynamic_clients including configuration file /etc/freeradius/mods-enabled/eap including configuration file /etc/freeradius/mods-enabled/echo including configuration file /etc/freeradius/mods-enabled/exec including configuration file /etc/freeradius/mods-enabled/expiration including configuration file /etc/freeradius/mods-enabled/expr including configuration file /etc/freeradius/mods-enabled/files including configuration file /etc/freeradius/mods-enabled/linelog including configuration file /etc/freeradius/mods-enabled/logintime including configuration file /etc/freeradius/mods-enabled/mschap including configuration file /etc/freeradius/mods-enabled/ntlm_auth including configuration file /etc/freeradius/mods-enabled/pap including configuration file /etc/freeradius/mods-enabled/passwd including configuration file /etc/freeradius/mods-enabled/preprocess including configuration file /etc/freeradius/mods-enabled/proxy_rate_limit including configuration file /etc/freeradius/mods-enabled/radutmp including configuration file /etc/freeradius/mods-enabled/realm including configuration file /etc/freeradius/mods-enabled/replicate including configuration file /etc/freeradius/mods-enabled/soh including configuration file /etc/freeradius/mods-enabled/sradutmp including configuration file /etc/freeradius/mods-enabled/totp including configuration file /etc/freeradius/mods-enabled/unix including configuration file /etc/freeradius/mods-enabled/unpack including configuration file /etc/freeradius/mods-enabled/utf8 including configuration file /etc/freeradius/mods-enabled/sql including configuration file /etc/freeradius/mods-config/sql/main/postgresql/queries.conf including files in directory /etc/freeradius/policy.d/ including configuration file /etc/freeradius/policy.d/abfab-tr including configuration file /etc/freeradius/policy.d/accounting including configuration file /etc/freeradius/policy.d/canonicalization including configuration file /etc/freeradius/policy.d/control including configuration file /etc/freeradius/policy.d/cui including configuration file /etc/freeradius/policy.d/debug including configuration file /etc/freeradius/policy.d/dhcp including configuration file /etc/freeradius/policy.d/eap including configuration file /etc/freeradius/policy.d/filter including configuration file /etc/freeradius/policy.d/moonshot-targeted-ids including configuration file /etc/freeradius/policy.d/operator-name including configuration file /etc/freeradius/policy.d/rfc7542 including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default /etc/freeradius/sites-enabled/default[919]: Parse error in condition /etc/freeradius/sites-enabled/default[919]: (${.auth_good}) { /etc/freeradius/sites-enabled/default[919]: ^ Expected a module return code Errors reading or parsing /etc/freeradius/radiusd.conf
On M
PostgreSQL datastore is logging passwords in plain text in the 'radpostauth' table for accepted and rejected requests. This is occurring even when 'auth_goodpass' and 'auth_badpass' are set to 'no' - which this looks to be only relevant to logging to radius.log.
Yes.
I could comment out '-sql' in the 'post-auth' section of the server or amend the queries.conf for sql to remove the password. However, for flexibility/simplicity I have looked into using unlang to suppress the attribute.
I would like to use the variable reference from radiusd.conf for auth_goodpass/auth_badpass to control whether the User-Password is suppressed ideally for efficiency.
The unlang is as follows in the 'post-auth' section of the default server:
if (${log.auth_goodpass}) { -sql } else { suppress { User-Password } -sql }
That won't work. You can't just invent syntax and have it do what you want.
This throws the below error:
/etc/freeradius/sites-enabled/default[919]: Parse error in condition /etc/freeradius/sites-enabled/default[919]: (${log.auth_goodpass}) { /etc/freeradius/sites-enabled/default[919]: ^ Expected a module return code
You have to check for a specific value: if ("${log.auth_goodpass}" == "yes") { ... You also can't use a "suppress" block in the middle of an unlang processing section. You have to use "update" to remove User-Password from the request: update request { User-Password !* ANY } Since the password isn't used for anything after post-auth, it's safe to delete it. Alan DeKok.
You have to check for a specific value:
if ("${log.auth_goodpass}" == "yes") { ...
You also can't use a "suppress" block in the middle of an unlang processing section. You have to use "update" to remove User-Password from the request:
update request { User-Password !* ANY }
Since the password isn't used for anything after post-auth, it's safe to delete it.
Alan, thank you for the advice and unlang code; this is working as expected. I was attempting to use the detail module example for 'suppress'. I have gone through the unlang documentation further, which I now hopefully have a better understanding, especially keywords!
participants (2)
-
Alan DeKok -
Sam Hutchings