log *** instead of actual User-Password in postauth_query
Dear List! I am wondering if there is a way to convert a password to a number of asterisk symbols (*) matching the length of the actual password using unlang. For obvious reasons i do not want to log the cleartext password in radpostauth. But i don't want to completely omit the field either. Changing the postauth_query in dialup.conf is pretty straightforward, but i could not figure out how to replace the password with the exact same number of * symbols. The best i could come up with so far is: %{%{#User-Password}:-0} Which outputs the length of the password as a number. Is there a straightforward way to achieve what i want? tia, Michael
On 24 Feb 2014, at 17:17, Michael Weissenbacher <mw@dermichi.com> wrote:
Dear List! I am wondering if there is a way to convert a password to a number of asterisk symbols (*) matching the length of the actual password using unlang.
For obvious reasons i do not want to log the cleartext password in radpostauth. But i don't want to completely omit the field either. Changing the postauth_query in dialup.conf is pretty straightforward, but i could not figure out how to replace the password with the exact same number of * symbols. The best i could come up with so far is: %{%{#User-Password}:-0}
Which outputs the length of the password as a number. Is there a straightforward way to achieve what i want?
Surely %{%{#User-Password}:-0} is superior to outputting asterixes... Then you don't have to count the asterixes to know what length the password was? The various SQL dialects support padding string with arbitrary chars, so you can probably edit the post-auth queries to do what you want. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi Arran!
Surely %{%{#User-Password}:-0} is superior to outputting asterixes... Then you don't have to count the asterixes to know what length the password was?
On second thought, i guess you are right :-)
The various SQL dialects support padding string with arbitrary chars, so you can probably edit the post-auth queries to do what you want.
Of course! Thanks for the pointer. I successfully solved it using MySQL's ltrim() function. with kind regards, Michael
participants (2)
-
Arran Cudbard-Bell -
Michael Weissenbacher