radiusd logs good passwords even when told not to?
Background info: # uname -a Linux removed.com 2.6.9-67.0.22.EL #1 Wed Jul 23 17:17:45 EDT 2008 i686 i686 i386 GNU/Linux Free radius installed via a RPM: # rpm -qa | grep radius freeradius-1.0.1-3.RHEL4.5 # radiusd -v radiusd: FreeRADIUS Version 1.0.1, for host , built on Apr 25 2007 at 08:19:46 Copyright (C) 2000-2003 The FreeRADIUS server project. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. We start/stop it via the init.d script which states: RADIUSD=/usr/sbin/radiusd LOCKF=/var/lock/subsys/radiusd CONFIG=/etc/raddb/radiusd.conf Our /etc/raddb/radiusd.conf clearly states to not log passwords: # allowed values: {no, yes} # log_auth_badpass = no log_auth_goodpass = no However it's logging good password auth's still.. # ll /etc/radacct/ | wc -l 631 # cat auth-detail-20081023 Packet-Type = Access-Request <removed> User-Name = "username" User-Password = "password" NAS-IP-Address = 127.0.0.1 Client-IP-Address = 127.0.0.1 Starting it manually with debug turned on here is what I see.. # radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/" main: localstatedir = "//var" main: logdir = "/var/log" main: libdir = "//lib" main: radacctdir = "/etc/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/var/log/radius.log" main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "//var/run/radiusd/radiusd.pid" main: bind_address = 192.168.1.1 IP address [192.168.1.1] main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "//sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/etc/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" Module: Instantiated acct_unique (acct_unique) detail: detailfile = "/etc/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication 192.168.1.1:1812 Listening on accounting 192.168.1.1:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.10.10.10:2702, id=165, length=53 User-Name = "username" User-Password = "removed" NAS-IP-Address = 10.10.10.10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/etc/radacct/10.10.10.10/auth-detail-20090106' rlm_detail: /etc/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /etc/radacct/10.10.10.10/auth-detail-20090106 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 rlm_realm: No '@' in User-Name = "username", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched DEFAULT at 153 users: Matched username at 316 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns ok for request 0 modcall: group authenticate returns ok for request 0 Login OK: [username] (from client hostname.com port 0) Sending Access-Accept of id 165 to 10.10.10.10:2702 NS-Admin-Privilege = All-VSYS-Root-Admin Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... You can see it touched and updated the file with the new record.. # ll total 4 -rw------- 1 root root 342 Jan 6 10:17 auth-detail-20090106 So why is it doing this? How can I stop it? Ideally I would like radius to NOT store passwords in plain-text.. Any help is appreciated, thanks all! -Tim Eberhard
Free radius installed via a RPM: # rpm -qa | grep radius freeradius-1.0.1-3.RHEL4.5
# radiusd -v radiusd: FreeRADIUS Version 1.0.1, for host , built on Apr 25 2007 at 08:19:46
That was years out of date even when installed. See about upgrading: http://wiki.freeradius.org/Red_Hat_FAQ
Our /etc/raddb/radiusd.conf clearly states to not log passwords: # allowed values: {no, yes} # log_auth_badpass = no log_auth_goodpass = no
In radius.log file. And it doesn't:
Login OK: [username] (from client hostname.com port 0)
# cat auth-detail-20081023
Packet-Type = Access-Request <removed> User-Name = "username" User-Password = "password" NAS-IP-Address = 127.0.0.1 Client-IP-Address = 127.0.0.1
That's detail module at work:
Module: Loaded detail detail: detailfile = "/etc/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log)
In current versions there is a supress setting in detail module where you can set attributes that you don't want to log in detail file. I have no idea if such setting exists in the version you are using. Ivan Kalik Kalik Informatika ISP
Hi,
Background info:
yes, ancient version
Our /etc/raddb/radiusd.conf clearly states to not log passwords: # allowed values: {no, yes} # log_auth_badpass = no log_auth_goodpass = no
correct - in the main log
However it's logging good password auth's still..
no, this is the detail file - and you've enabled the detail logging module - which has an option for stopping the password from being logged...however, I think that was only from version 1.1.x - see the current version docs and/or the current config files from the recent release (download the tar.gz file, extract and then view the config. do you need or use the detail files in any of your processes? if not, then disable the detail module (comment out calls to it) alan
I have no need for a details log the data stored in /var/log/radius.log is more than sufficient for me. So by commenting out detail { } in the radiusd.conf file should stop this? I know I'm running a ancient version of free radius.. sadly it's what RHEL came with and it's what we have as 'stable'. I'll look at upgrading but I'm afraid this is one of those wonderful 100% uptime required services. Thanks again all, -Tim Eberhard On Tue, Jan 6, 2009 at 11:51 AM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
Background info:
yes, ancient version
Our /etc/raddb/radiusd.conf clearly states to not log passwords: # allowed values: {no, yes} # log_auth_badpass = no log_auth_goodpass = no
correct - in the main log
However it's logging good password auth's still..
no, this is the detail file - and you've enabled the detail logging module - which has an option for stopping the password from being logged...however, I think that was only from version 1.1.x - see the current version docs and/or the current config files from the recent release (download the tar.gz file, extract and then view the config.
do you need or use the detail files in any of your processes? if not, then disable the detail module (comment out calls to it)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I have no need for a details log the data stored in /var/log/radius.log is more than sufficient for me.
So by commenting out detail { } in the radiusd.conf file should stop this?
you will also need to remove the calls to that detail config in various other places in the config.
I know I'm running a ancient version of free radius.. sadly it's what RHEL came with and it's what we have as 'stable'. I'll look at upgrading but I'm afraid this is one of those wonderful 100% uptime required services.
aye - set it up on another server and then swap-over during a pre-disclosed maintainance window.... we have 3 servers + 2 dev systems to allow for upgrades (and pre-testing of upgrades!) since 2.x came out we can lose 2 service boxes and the 3rd can handle the load (pre 2.x we needed 2 up) alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Tim Eberhard -
tnt@kalik.net