hi! 1. how can I stop my freeradius server from logging entered passwords into the the accounting file? I would like to only have the following in my file this way: Packet-Type = Access-Request Wed Mar 1 15:05:04 2006 User-Name = "Me" ######no password logging!!### NAS-IP-Address = x.x.x.x NAS-Identifier = "ssh" NAS-Port = 424 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = : 2. Is there a way of stopping the server from outputing the user password on debug mode?? as in: rad_recv: Access-Request packet from host 10.0.10.11:1449, id=17, length=87 User-Name = "Me" ##NO User-Password##### NAS-IP-Address = x.x.x.x NAS-Identifier = "ssh" NAS-Port = 424 : 3. And finally is it possible to use enycrypted passwords in user file? e.g. Me Auth-Type := Crypt-Local, Crypt-Password == "098f6bcd4621d373cade4e832627b4f6" ......or something similar Thanks in Advance. Andy Trüffle ___________________________________________________________ Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de
andre kip <xu178@yahoo.de> wrote:
how can I stop my freeradius server from logging entered passwords into the the accounting file?
It's not an accounting file. The text you quote says "Access-Request". And it isn't logged by default. You've updated your configuration to log Access-Requests, which usually isn't that useful. If you don't want to see the password, don't log Access-Requests, or edit the rlm_detail module to not log User-Password.
Is there a way of stopping the server from outputing the user password on debug mode??
Absolutely not. This will *never* be changed.
And finally is it possible to use enycrypted passwords in user file?
Yes. Alan DeKok.
thanks Alan for your assistance so far. Sorry for bugging you further but I still got a question or two. 1. Where is the rlm_detail module? I only see *.so and *.la files which seem not to be the ones. man rlm_detail doesn't help either. 2. I managed to use encrypted passwords in the user file. Is it possible to store encrypted shared secret both in server and client? Thanks in advance. Trüffle. --- Alan DeKok <aland@ox.org> schrieb:
andre kip <xu178@yahoo.de> wrote:
how can I stop my freeradius server from logging entered passwords into the the accounting file?
It's not an accounting file. The text you quote says "Access-Request". And it isn't logged by default. You've updated your configuration to log Access-Requests, which usually isn't that useful.
If you don't want to see the password, don't log Access-Requests, or edit the rlm_detail module to not log User-Password.
Is there a way of stopping the server from outputing the user password on debug mode??
Absolutely not. This will *never* be changed.
And finally is it possible to use enycrypted passwords in user file?
Yes.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
___________________________________________________________ Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de
andre kip <xu178@yahoo.de> wrote:
1. Where is the rlm_detail module? I only see *.so and *.la files which seem not to be the ones. man rlm_detail doesn't help either.
Try looking at the source.
2. I managed to use encrypted passwords in the user file. Is it possible to store encrypted shared secret both in server and client?
No. Alan DeKok.
I also want to remove the password from the log file. I am trying to modify the rlm_detail file. I beileve the section that needs modifying is at line 280. Before modification I just need to understand the following lines after 280. The code with the comment /* Don't Print passwords in old format */ What is the old format compared to the new format. As far as what to change what is the pair->attribute for User-Password statement. I would presume it would be PW_PASSWORD_REQUEST. My thinking is is to do something like this if (compat && (pair->attribute == PW_PASSWORD_REQUEST)) { pair = pair->next; continue; Is that correct? Alan DeKok wrote:
andre kip <xu178@yahoo.de> wrote:
1. Where is the rlm_detail module? I only see *.so and *.la files which seem not to be the ones. man rlm_detail doesn't help either.
Try looking at the source.
2. I managed to use encrypted passwords in the user file. Is it possible to store encrypted shared secret both in server and client?
No.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Craig T. Hancock" <chancock@nd.edu> wrote:
As far as what to change what is the pair->attribute for User-Password statement. I would presume it would be PW_PASSWORD_REQUEST.
Huh? Why? What's wrong with using grep to search the source, to find out the proper name? Alan DEKok.
Alan, When I grep the source tree for pair->attribute I could only find 11 files that reference it. I understand that pair is a pointer and attribute is the field of the structure. I just can't find the structure definition to confirm this. If I had to guess (and I am somewhat guessing at this point due to my knowledge of the Code Tree). The attribute would be PW_USER_PASSWORD. If you can confirm this or direct me to the source file has the structure definitions I would appreciate it. Alan DeKok wrote:
"Craig T. Hancock" <chancock@nd.edu> wrote:
As far as what to change what is the pair->attribute for User-Password statement. I would presume it would be PW_PASSWORD_REQUEST.
Huh? Why?
What's wrong with using grep to search the source, to find out the proper name?
Alan DEKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Craig T. Hancock" <chancock@nd.edu> wrote:
If I had to guess (and I am somewhat guessing at this point due to my knowledge of the Code Tree). The attribute would be PW_USER_PASSWORD.
Yes.
If you can confirm this or direct me to the source file has the structure definitions I would appreciate it.
See src/include. It contains the header files that define the structures. The names and contents should be self-explanatory. Alan DeKok.
Hi Craig! I haven't found out where this rlm_detail module is for logging information. Where are these files? I guess it is not a file with *.so ending. Trüffel --- "Craig T. Hancock" <chancock@nd.edu> schrieb:
Alan,
When I grep the source tree for pair->attribute I could only find 11 files that reference it. I understand that pair is a pointer and attribute is the field of the structure. I just can't find the structure definition to confirm this.
If I had to guess (and I am somewhat guessing at this point due to my knowledge of the Code Tree). The attribute would be PW_USER_PASSWORD.
If you can confirm this or direct me to the source file has the structure definitions I would appreciate it.
Alan DeKok wrote:
"Craig T. Hancock" <chancock@nd.edu> wrote:
As far as what to change what is the pair->attribute for User-Password statement. I would presume it would be PW_PASSWORD_REQUEST.
Huh? Why?
What's wrong with using grep to search the source, to find out the proper name?
Alan DEKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
___________________________________________________________ Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de
I did this for an rlm_syslog module, since I didn't want password logged in the clear. I added a "hidepasswd" config option so it could be enabled/disabled at will, but basically it's just: if ((strstr(buf, "User-Password") != 0) && (strcmp(inst->hidepasswd, "yes") == 0)) { pair->next; } Craig T. Hancock wrote:
I also want to remove the password from the log file. I am trying to modify the rlm_detail file. I beileve the section that needs modifying is at line 280. Before modification I just need to understand the following lines after 280. The code with the comment
/* Don't Print passwords in old format */
What is the old format compared to the new format.
As far as what to change what is the pair->attribute for User-Password statement. I would presume it would be PW_PASSWORD_REQUEST.
My thinking is is to do something like this
if (compat && (pair->attribute == PW_PASSWORD_REQUEST)) { pair = pair->next; continue;
Is that correct?
Alan DeKok wrote:
andre kip <xu178@yahoo.de> wrote:
1. Where is the rlm_detail module? I only see *.so and *.la files which seem not to be the ones. man rlm_detail doesn't help either.
Try looking at the source.
2. I managed to use encrypted passwords in the user file. Is it possible to store encrypted shared secret both in server and client?
No.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Geoff, I haven't been successful in getting freeradius not to log passwords. Where is this rlm_syslog?? I am looking for it at source but to no avail. ..or did you change rlm_detail by adding: if ((strstr(buf, "User-Password") != 0) && (strcmp(inst->hidepasswd, "yes") == 0)) { pair->next; } regards, Mr. Trüffle
Craig T. Hancock wrote:
I also want to remove the password from the log file. I am trying to modify the rlm_detail file. I beileve the section that needs modifying is at line 280. Before modification I just need to understand the following lines after 280. The code with the comment
/* Don't Print passwords in old format */
What is the old format compared to the new format.
As far as what to change what is the pair->attribute for User-Password statement. I would presume it would be PW_PASSWORD_REQUEST.
My thinking is is to do something like this
if (compat && (pair->attribute == PW_PASSWORD_REQUEST)) { pair = pair->next; continue;
Is that correct?
Alan DeKok wrote:
andre kip <xu178@yahoo.de> wrote:
1. Where is the rlm_detail module? I only see *.so and *.la files which seem not to be the ones. man rlm_detail doesn't help either.
Try looking at the source.
2. I managed to use encrypted passwords in the user file. Is it possible to store encrypted shared secret both in server and client?
No.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
___________________________________________________________ Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de
On Mon, 2006-13-03 at 17:38 +0100, andre kip wrote:
Hi Geoff,
I haven't been successful in getting freeradius not to log passwords. Where is this rlm_syslog?? I am looking for it at source but to no avail. ..or did you change rlm_detail by adding:
if ((strstr(buf, "User-Password") != 0) && (strcmp(inst->hidepasswd, "yes") == 0)) { pair->next; }
regards, Mr. Trüffle
Have you tried changing the settings in radiusd.conf? # Log authentication requests to the log file. # # allowed values: {no, yes} # log_auth = no # Log passwords with the authentication requests. # log_auth_badpass - logs password if it's rejected # log_auth_goodpass - logs password if it's correct # # allowed values: {no, yes} # log_auth_badpass = no log_auth_goodpass = no
I had tried that and it logged passwords regardless. Guy Fraser wrote:
On Mon, 2006-13-03 at 17:38 +0100, andre kip wrote:
Hi Geoff,
I haven't been successful in getting freeradius not to log passwords. Where is this rlm_syslog?? I am looking for it at source but to no avail. ..or did you change rlm_detail by adding:
if ((strstr(buf, "User-Password") != 0) && (strcmp(inst->hidepasswd, "yes") == 0)) { pair->next; }
regards, Mr. Trüffle
Have you tried changing the settings in radiusd.conf?
# Log authentication requests to the log file. # # allowed values: {no, yes} # log_auth = no
# Log passwords with the authentication requests. # log_auth_badpass - logs password if it's rejected # log_auth_goodpass - logs password if it's correct # # allowed values: {no, yes} # log_auth_badpass = no log_auth_goodpass = no
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_syslog is a module I wrote based on rlm_detail. I submitted it as a patch, but it's not part of the production freeradius code at this point. You probably want to add the following... around line 70: char *hidepasswd; around line 81-82 of rlm_detail.c: { "hidepasswd", PW_TYPE_BOOLEAN, offsetof(struct detail_instance,hidepasswd), NULL, "yes" }, around line 288: if ((pair->attribute == PW_PASSWORD) && (strcmp(inst->hidepasswd, "yes") == 0)) { pair->next; } and then add "hidepasswd = yes" to the detail sections of your radiusd.conf andre kip wrote:
Hi Geoff,
I haven't been successful in getting freeradius not to log passwords. Where is this rlm_syslog?? I am looking for it at source but to no avail. ..or did you change rlm_detail by adding:
if ((strstr(buf, "User-Password") != 0) && (strcmp(inst->hidepasswd, "yes") == 0)) { pair->next; }
regards, Mr. Trüffle
Craig T. Hancock wrote:
I also want to remove the password from the log
file. I am trying to
modify the rlm_detail file. I beileve the section
that needs modifying
is at line 280. Before modification I just need to
understand the
following lines after 280. The code with the
comment
/* Don't Print passwords in old format */
What is the old format compared to the new format.
As far as what to change what is the
pair->attribute
for User-Password statement. I would presume it
would be
PW_PASSWORD_REQUEST.
My thinking is is to do something like this
if (compat && (pair->attribute ==
PW_PASSWORD_REQUEST)) {
pair = pair->next; continue;
Is that correct?
Alan DeKok wrote:
andre kip <xu178@yahoo.de> wrote:
1. Where is the rlm_detail module? I only see
*.so and
*.la files which seem not to be the ones. man rlm_detail doesn't help either.
Try looking at the source.
2. I managed to use encrypted passwords in the
user
file. Is it possible to store encrypted shared
secret
both in server and client?
No.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
___________________________________________________________ Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de
participants (5)
-
Alan DeKok -
andre kip -
Craig T. Hancock -
Geoff Silver -
Guy Fraser