On-line debugging tool
Alexander Clouter
alex at digriz.org.uk
Thu Jan 7 14:15:17 CET 2010
Alan DeKok <aland at deployingradius.com> wrote:
>
>> Is there a plan to add to FreeRADIUS a debug output mangling option? So
>> things like Cleartext-Password and User-Password are obscured.
>
> Send a patch. ;)
>
Yeah yeah...however as you are not ACK'ing my gtc/ldap patches it's
hardly a motivator to contribute :-/ *sigh*
...alternatively we create a FreeRADIUS debug equilivent to the kernels
'checkpatch.pl' which would be better still I would argue. Then no need
to worry about privacy of the spiel outputed, plus we *all* can then add
extra clauses/checks ourselves as we find them.
This means the checking tool comes with FreeRADIUS. It can also gives
the users something to paste to the mailing list incase of problems
(although it probably be less useful than the raw '-X' output, and if
they are including anything they might aswell give us the full spiel).
>> For example, you get the user to run FreeRADIUS with '-XO', then just
>> before printing to the screen the value of the 'secret' attributes are
>> md5'd and the hashes are shown instead (should be a constant, unless
>> there is actually a mismatch). Of course you could have a '-o
>> attr1,attr2' to protect other attributes at runtime too.
>
> The problem is that it's hard to do. The passwords can be used in
> multiple places, so knowing *when* to mangle them is awkward.
>
> We could do a few simple things like not print client secrets or
> User-Passwords from the received packets. But anything past that
> quickly becomes very, very, difficult.
>
I was not really thinking past the common ones, however thinking about
things more so, I actually prefer the checkpatch.pl-esque approach, then
we can all contribute and fix things :)
Cheers
--
Alexander Clouter
.sigmonster says: I'm so broke I can't even pay attention.
More information about the Freeradius-Users
mailing list