Source Code Modification Help - No Clear Text User-Password logging

Mark Selby mselby at knewton.com
Mon Jul 30 06:47:51 CEST 2012 

I am send this to the freeradius-devel list as I am asking for help on
source code modification and felt this was more appropriate than
freeradius-users list. If it is felt by many that I should re-submit
under the users list I will be happy to do so. I do not have any C
programming experience but have made small modifications and compiled
tens of open source software programs.

I am using freeradius for my company as 802.1x wireless authentication
backend for our internal wifi network. We extensively use Kerberos
(MIT) as an authentication mechanism and have configured TTLS/PAP on
the client and rlm_krb5 to allow users to authenticate using their
Kerberos principals and passwords.

As a general practice we never ask what other users passwords are,
never transmit passwords over the wire in clear text, and never log
passwords on disk.

I have found there are 2 ways to get the freeradius server to log
clear text passwords and would like to ask for source code
modification examples or at least pointers the right place to make
them such that I can compile a custom version of the software that
does not do this. We do want to be able ever to see our users
passwords

(1) log_auth_badpass|log_auth_goodpass

I see there are 4 source files (radiusd.h auth.c mainconfig.c
radiusd.c) that include references to log_auth_badpass and
log_auth_goodpass. I figure that I can read the code and make any
minor modifications that make sure these options can not be turned on.

(2) radiusd -X

When running in debug mode I can often see on the screen output like the below:

[ttls] Got tunneled request
        User-Name = "gonzo"
        User-Password = "a_password"
        FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
        User-Name = "gonzo"
        User-Password = "a_password"
        FreeRADIUS-Proxied-To = 127.0.0.1
        NAS-IP-Address = 10.0.1.218
        NAS-Identifier = "AP-7eff00"
        NAS-Port = 0
        Called-Station-Id = "AA-1E-72-7A-AA-00:radius"
        Calling-Station-Id = "A4-5A-AE-54-04-48"
        Framed-MTU = 1500
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"

I can not seem to figure out in the code how to make sure that the
User-Password is never printed in the clear like it is above. Any
pointers to where in the code I can turn this off would be greatly
appreciated.

Thanks!

More information about the Freeradius-Devel mailing list