I understand that it is sometimes useful to display the plain-text password in the debug output; however, I consider this a security exposure. I'd like to see a configuration option (e.g., debug_show_passwords or something similar) with a default of no, that when set to false/no would write "********" instead of a plain-text password in debug output. Currently, modules rlm_ldap, rlm_pap, and perhaps others write the plain-text password in debug output. Your thoughts? Neal
Debugging output is always a security exposure. Secure debugging wouldn't be all that helpful to the debugging process especially as seeing the plain text password may be the difference between solving a problem or not. Perhaps 'redacted' debugging output is what you're after (for posting to the mailing list). Perhaps you could add a radiusd flag for that and change the debugging output accordingly. Garber, Neal wrote:
I understand that it is sometimes useful to display the plain-text password in the debug output; however, I consider this a security exposure. I’d like to see a configuration option (e.g., debug_show_passwords or something similar) with a default of no, that when set to false/no would write “********” instead of a plain-text password in debug output. Currently, modules rlm_ldap, rlm_pap, and perhaps others write the plain-text password in debug output.
Your thoughts?
Neal
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Garber, Neal" <Neal.Garber@energyeast.com> wrote:
I understand that it is sometimes useful to display the plain-text password in the debug output; however, I consider this a security exposure. I'd like to see a configuration option (e.g., debug_show_passwords or something similar) with a default of no, that when set to false/no would write "********" instead of a plain-text password in debug output.
In one word: No. The whole purpose of debugging mode is to print out what the server is doing. Hiding information is a guaranteed way to create problems. You can also do: $ radiusd -X | sed 's/password.*/password/g;s/Password.*/Password/g' So why hack the server? Write a wrapper script for your installation, and call it "secure". A slightly different response is: a) Why is it a security exposure? You haven't explained. You're really saying that it's a security exposure to show passwords to the administrator who has permission to stop and start the server? b) If the default is changed to not show the passwords, are *you* going to answer umpteen questions on this list about "why does the password show up as ***"? I am strongly opposed to this kind of "security". It makes life difficult for everyone else, and has essentially no security benefit for you, either. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (3)
-
Alan DeKok -
Garber, Neal -
Michael Lecuyer