detail logs User-Password

Peter Nixon listuser at
Tue Apr 4 19:29:54 CEST 2006

On Tue 04 Apr 2006 20:12, Ryan Melendez wrote:
> >   Personally, I don't see a lot of value in it.  But if the patch is
> > simple & the config is easy, I have no objections to it going in.
> If someone would rather send plain text over the wire rather than
> storing plain text passwords, logging the password gives up the main
> advantage for many in using PAP over CHAP.
> >   Question: are there *other* attributes which should be suppressed?
> > If so, the configuration should take a list of attributes to censor,
> > rather than just "logpass=yes/no"
> I don't know of any others, but suggestions are welcome.  I'm going to
> go the single-line-option route unless someone chimes in.

We have actually had several discussions both on and off list about this and 
while Alan doesn't think that there is a particularly good reason to surpress 
passwords, I respectfully disagree with his opinion and can think of several 
scenarios you may want to. My suggestion however is to have something a 
little more generic like the following

detail auth_log {
        detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d.txt
        detailperm = 0600
        detailstrip = User-Password
        detailstrip = 3GPP-IMSI
        detailstrip = Other-Random-Attribute

This easily lets people strip out whatever attributes they want, not only 


Peter Nixon
PGP Key:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <>

More information about the Freeradius-Devel mailing list