Clear text passwords

George C. Kaplan gckaplan at ack.berkeley.edu
Fri Mar 24 17:09:29 CET 2006


Bjørn Mork wrote:
> "George C. Kaplan" <gckaplan at ack.berkeley.edu> writes:

>>To not log passwords in the detail file, because it puts them at
>>unnecessary risk of exposure.
> 
> The detail module logs radius packets.  If that's not what you want,
> then you probably shouldn't be using the detail module (except maybe
> for accounting, where there won't be any password in the packet).

>>Actually, I may be confused here.  Are we talking about passwords
>>entered by users and sent to the RADIUS daemon by a NAS being logged in
>>the radius.log or the detail file?  I ask because I *don't* see this
>>behavior (except in debugging mode) on freeradius 1.0.5.  So maybe we're
>>talking about something else.
>
> The default radiusd.conf does not enable detail logging for anything
> but accounting.

OK, I was confused.  This thread is about the *authentication* detail
logging, which we don't use.  We just use the default accounting detail
logs.

> The question is:  Why do you want to configure the server to log the
> passwords and then modify the source not to honour this configuration
> choice?  It seems a lot easier to just go with the defaults...

Well, if you log the details of the authentication packets, you get a
lot of info useful for troubleshooting end-user or NAS configuration
problems, even if the value of the password attribute (but not the
attribute name) is suppressed.  But since I've never felt the need to
use the authentication detail logging, I certainly don't have a strong
opinion on whether it would be worth the trouble to implement this.

-- 
George C. Kaplan                            gckaplan at ack.berkeley.edu
Communication & Network Services            510-643-0496
University of California at Berkeley



More information about the Freeradius-Users mailing list