Source Code Modification Help - No Clear Text User-Password logging

alan buxey A.L.M.Buxey at lboro.ac.uk
Mon Jul 30 11:01:22 CEST 2012


Hi,

the server does what it does because you have asked it to -
ie it will log the password because you have asked it to - 
that is why there is a 'suppress' feature in the detail module,
for example, so it is NOT logged.

the server will print out everything it knows in full debug mode - because
it is full debug mode. if the packet is PAP (as your logs show) then the
password is passed in the clear within that tunnel...and so is shown.

why? for debugging..... many many times the users list if filled with 'it doesnt
work' and the password isnt what they are trying to use in the client
(they are usually editing the wrong file) or its mangled - incorrect shared secret.

if you want to make a local modification so that your server doesnt 
print this out, then simply look for the sections where this code is printed
and print XXXXXXX instead.... but then expect many headaches when trying
to diagnose issues - and as others have said, wtrong place to be paranoid...if
someone has that level of access in the server then they can do anything - and
be very aware of the day when someone helpfully updates your source code and blows
away that local change. better to ensure the CONFIG is correct to stop the logging
of passwords etc...and worry about server access security instead.

alan


More information about the Freeradius-Devel mailing list