Hashing of Debug Log Passwords
Hi All, I've hashed the passwords in my DB and made it so that the RADIUS server, a) uses the hashed passwords b) doesn't store the cleartext passwords in the 'radpostauth' table. Think I know the answer to this already but is it possible to hash/hide the passwords being seen in the debug logs (e.g. freeradius -X)? Pretty sure this is a no since the server needs to see the password at some point but thought I would ask. Thanks!
On Nov 5, 2024, at 5:15 PM, FreeRAD <yetifreerad@gmail.com> wrote:
I've hashed the passwords in my DB and made it so that the RADIUS server, a) uses the hashed passwords b) doesn't store the cleartext passwords in the 'radpostauth' table. Think I know the answer to this already but is it possible to hash/hide the passwords being seen in the debug logs (e.g. freeradius -X)?
Not really, no.
Pretty sure this is a no since the server needs to see the password at some point but thought I would ask.
We've made this more configurable in v4, but at some point seeing the passwords helps a *lot* for debugging. Alan DeKok.
Hi Alan, No problem, thought that might be the case. Thank you! On Tue, Nov 5, 2024 at 6:58 PM Alan DeKok <aland@deployingradius.com> wrote:
On Nov 5, 2024, at 5:15 PM, FreeRAD <yetifreerad@gmail.com> wrote:
I've hashed the passwords in my DB and made it so that the RADIUS server, a) uses the hashed passwords b) doesn't store the cleartext passwords in the 'radpostauth' table. Think I know the answer to this already but is it possible to hash/hide the passwords being seen in the debug logs (e.g. freeradius -X)?
Not really, no.
Pretty sure this is a no since the server needs to see the password at some point but thought I would ask.
We've made this more configurable in v4, but at some point seeing the passwords helps a *lot* for debugging.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
FreeRAD