User passwords in 127.0.0.1/auth-detail file
Phil Mayers
p.mayers at imperial.ac.uk
Thu Feb 9 12:43:22 CET 2006
Walter Reynolds wrote:
>
> I am currently running freeradius 1.0.4 I have the following line set
>
> log_auth_goodpass = no
>
> I am also using krb5 module under PAM.
>
> The problem I am having is while I do not get the User-Password in the
> <NAS>/auth-detail log, it does show up in the 127.0.0.1/auth-detail file.
>
> I have tried to search the archive and feel I must me mising something.
> Can someone please help me figure out what is going on? I want logs and
> details, just not the user passwords.
I think you're missing the point. That's what that is supposed to do.
The default config has this (commented out):
# detail auth_log {
# detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }
...and:
authorize {
# auth_log
}
That stanza will log the radius Access-Request, so of course the
password will always be in it. There's nothing you can do about this
except don't use that stanza.
>
> Thanks.
>
> -- Walter Reynolds
> University of Michigan
> - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list