Hi All We're in the process of setting up our wireless system to use radius authentication against our usernames/passwords which are stored in LDAP. We have come across an issue in testing the radius server. We are using Freeradius. The way we have this setup is quite standard (I hope). The user associates to the AccessPoint (AP) and is prompted for authentication credentials for access to the network. The AP sends the client's username/password credentials to the Radius server. This connection is secured. The Radius server then attempts to bind to the ldap server (again, a secured connection) using the clients credentials. The issue we have is when running the Radius server in debug mode with full log-level, we see the cilent's username and password in clear-text as it attempts to bind to the LDAP server. Certainly we could change the debug mode level to not see this, but the fact that the ability to see that is available is troubling. I'm sure many others on this list use FreeRadius and I'm wondering what sort of policies you have in place to address this security risk. Anyone with high-level access to the box could certainly login, make a change to the debug level and capture sensitive login information. Any advice/feedback is appreciated. Thanks Matt mda@unb.ca
Matt Ashfield wrote:
The issue we have is when running the Radius server in debug mode with full log-level, we see the cilent's username and password in clear-text as it attempts to bind to the LDAP server. Certainly we could change the debug mode level to not see this, but the fact that the ability to see that is available is troubling. I'm sure many others on this list use FreeRadius and I'm wondering what sort of policies you have in place to address this security risk. Anyone with high-level access to the box could certainly login, make a change to the debug level and capture sensitive login information.
This is an issue of your security policy. FreeRADIUS has access to LDAP. Anyone who is not trusted enough to touch LDAP, should not be touching FreeRADIUS. This is how most interdependent services work (Windows, Linux, or otherwise). Running the server in debugging mode should only be done during setup (and most likely on your dev box, not the production one). Once FreeRADIUS is working as it should, you shouldn't be running it in debug mode. An app like FreeRADIUS will always have access to the user/pass because it needs that info to talk to LDAP. Even if the debugging output didn't have the user/pass, then anyone with enough rights to start/stop the app can likely upload a hacked version of FreeRADIUS that does output the user/pass. It is just a matter of a print statement or two. The short answer is don't give high-level access to this box to people you don't trust. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com
On 1/8/07, Matt Ashfield <mda@unb.ca> wrote:
The issue we have is when running the Radius server in debug mode with full log-level, we see the cilent's username and password in clear-text as it attempts to bind to the LDAP server. Certainly we could change the debug mode level to not see this, but the fact that the ability to see that is available is troubling. I'm sure many others on this list use FreeRadius and I'm wondering what sort of policies you have in place to address this security risk. Anyone with high-level access to the box could certainly login, make a change to the debug level and capture sensitive login information.
Then again, someone with "high-level access" to the machine could install their own, trojaned copy of radiusd and associated rootkit to hide it, which really makes this a moot point, yes? That's one example -- there's numerous other things they could do to get the passwords. If you don't trust someone in your organization not to do this, why are you giving them "high-level" access in the first place? -- Jeremy L. Gaddis, MCP, GCWN http://www.linuxwiz.net/
Matt Ashfield wrote:
The issue we have is when running the Radius server in debug mode with full log-level, we see the cilent's username and password in clear-text as it attempts to bind to the LDAP server.
That is really the whole purpose of debug mode. You see the users password not only there, but in the attributes when the RADIUS request is printed out, too. Debugging mode has little purpose without that information.
Certainly we could change the debug mode level to not see this, but the fact that the ability to see that is available is troubling. I'm sure many others on this list use FreeRadius and I'm wondering what sort of policies you have in place to address this security risk. Anyone with high-level access to the box could certainly login, make a change to the debug level and capture sensitive login information.
I'm not sure where the problem is. Administrators of the radius server can log in and edit the RADIUS server configuration? Is this really what you're worried about? The short answer is that anyone who can write to the servers configuration, or even read the shared secrets in the "clients" file can snoop on the passwords. There's no way to prevent that without also preventing the server from running. Most of the problem can be solved by ensuring that only selected users have read access to the configuration files. Obviously, "root" has access, and at most one other user, say "radius-admin", with group "radiusd". The files should be owned by "radius-admin", writable by that user. The files should be in group "radiusd", and readable (but NOT writable) by that group. No on else should have read or write access to the configuration files. And the server should run as user "radiusd", group "radiusd". This is covered in my book in more detail. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hi,
The issue we have is when running the Radius server in debug mode with full log-level, we see the cilent's username and password in clear-text as it attempts to bind to the LDAP server. Certainly we could change the debug mode level to not see this, but the fact that the ability to see that is available is troubling. I'm sure many others on this list use FreeRadius and I'm wondering what sort of policies you have in place to address this security risk. Anyone with high-level access to the box could certainly login, make a change to the debug level and capture sensitive login information.
is there not a FAQ entry for this? its asked about once a month at least. debug shows ALL. this allows you to see if you have a trivial issue messing things up. its meant to be that way. if you dont want the usernames and passwords to be logged then make the required changes to the configs (by default freeradius will happily log PAP passwords etc into the SQL logs, the detail logs etc!) and make the required change to the source code so that full debugging will never print passwords. alan
A.L.M.Buxey@lboro.ac.uk wrote:
is there not a FAQ entry for this? its asked about once a month at least.
The Wiki entry is editable. :) Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Dennis Skinner -
Gaddis, Jeremy L. -
Matt Ashfield