radiusd logs good passwords even when told not to?
tnt at kalik.net
tnt at kalik.net
Tue Jan 6 18:18:24 CET 2009
>Free radius installed via a RPM:
># rpm -qa | grep radius
>freeradius-1.0.1-3.RHEL4.5
>
>
># radiusd -v
>radiusd: FreeRADIUS Version 1.0.1, for host , built on Apr 25 2007 at
>08:19:46
That was years out of date even when installed. See about upgrading:
http://wiki.freeradius.org/Red_Hat_FAQ
>Our /etc/raddb/radiusd.conf clearly states to not log passwords:
># allowed values: {no, yes}
>#
>log_auth_badpass = no
>log_auth_goodpass = no
>
In radius.log file. And it doesn't:
>Login OK: [username] (from client hostname.com port 0)
># cat auth-detail-20081023
>
>Packet-Type = Access-Request
><removed>
> User-Name = "username"
> User-Password = "password"
> NAS-IP-Address = 127.0.0.1
> Client-IP-Address = 127.0.0.1
>
That's detail module at work:
>Module: Loaded detail
> detail: detailfile = "/etc/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
> detail: detailperm = 384
> detail: dirperm = 493
> detail: locking = no
>Module: Instantiated detail (auth_log)
In current versions there is a supress setting in detail module where you
can set attributes that you don't want to log in detail file. I have no
idea if such setting exists in the version you are using.
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list