detail logs User-Password
Peter Nixon
listuser at peternixon.net
Tue Apr 4 19:29:54 CEST 2006
On Tue 04 Apr 2006 20:12, Ryan Melendez wrote:
> > Personally, I don't see a lot of value in it. But if the patch is
> > simple & the config is easy, I have no objections to it going in.
>
> If someone would rather send plain text over the wire rather than
> storing plain text passwords, logging the password gives up the main
> advantage for many in using PAP over CHAP.
>
> > Question: are there *other* attributes which should be suppressed?
> > If so, the configuration should take a list of attributes to censor,
> > rather than just "logpass=yes/no"
>
> I don't know of any others, but suggestions are welcome. I'm going to
> go the single-line-option route unless someone chimes in.
We have actually had several discussions both on and off list about this and
while Alan doesn't think that there is a particularly good reason to surpress
passwords, I respectfully disagree with his opinion and can think of several
scenarios you may want to. My suggestion however is to have something a
little more generic like the following
detail auth_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d.txt
detailperm = 0600
detailstrip = User-Password
detailstrip = 3GPP-IMSI
detailstrip = Other-Random-Attribute
}
This easily lets people strip out whatever attributes they want, not only
passwords.
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20060404/2f50f34e/attachment-0001.pgp>
More information about the Freeradius-Devel
mailing list