How to avoid logging cleartext passwords upon unix authentication failures
Hi, we're using Freeradius Version 2.2.0 to authenticate users against unix unsers/passwords stored on the freeradius server. We noticed that when a user authentication fails, the following line appears with the cleartext password within it: Tue Feb 25 11:36:49 2014 : Auth: [unix] invalid password "wrongPassword" Is it possible to tell the unix module not to log passwords? We already disabled authentication requests' logging in the main radiusd.conf file, but there seem not to be an option to disable authentication failures' logging for the unix module, am I wrong? Thank you for any help, Gianni Costanzi
On Tue, Feb 25, 2014 at 12:05:10PM +0100, Gianni Costanzi wrote:
Tue Feb 25 11:36:49 2014 : Auth: [unix] invalid password "wrongPassword"
Is it possible to tell the unix module not to log passwords? We already
In v2, only by editing the source, as it's hardcoded. Comment out the line in rlm_unix.c You could potentially pull the crypted password out with the passwd module, and auth with pap rather than unix. Should have the desired effect. In v3 the invalid password logging has gone away, so if you upgrade then you should be OK. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 25 Feb 2014, at 14:54, Matthew Newton <mcn4@LEICESTER.AC.UK> wrote:
On Tue, Feb 25, 2014 at 12:05:10PM +0100, Gianni Costanzi wrote:
Tue Feb 25 11:36:49 2014 : Auth: [unix] invalid password "wrongPassword"
Is it possible to tell the unix module not to log passwords? We already
In v2, only by editing the source, as it's hardcoded. Comment out the line in rlm_unix.c
You could potentially pull the crypted password out with the passwd module, and auth with pap rather than unix. Should have the desired effect.
In v3 the invalid password logging has gone away, so if you upgrade then you should be OK.
* Is only displayed and debug level 3. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Tue, Feb 25, 2014 at 04:39:55PM +0000, Arran Cudbard-Bell wrote:
On 25 Feb 2014, at 14:54, Matthew Newton <mcn4@LEICESTER.AC.UK> wrote:
On Tue, Feb 25, 2014 at 12:05:10PM +0100, Gianni Costanzi wrote:
Tue Feb 25 11:36:49 2014 : Auth: [unix] invalid password "wrongPassword"
Is it possible to tell the unix module not to log passwords? We already
In v3 the invalid password logging has gone away, so if you upgrade then you should be OK.
* Is only displayed and debug level 3.
Debug logs, yeah. I thought he was talking about /var/log/freeradius/radiusd.log v3 is the way to go, anyhow. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (3)
-
Arran Cudbard-Bell -
Gianni Costanzi -
Matthew Newton