I don't want to see clear text password in debug mode

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Tue Aug 6 21:36:05 CEST 2013


Hi,

>    My password is encrypted with MD5 but it can be seen in the debug screen.
>    Is there any way to disallow or masquerade the use's password in debug
>    mode ???

its debug mode. the entire purpose is to ensure that things are
what they appear to be and silly things like, 'its doesnt work!' are
found to be your password handling etc.  the server knows the password
is you are dealing with PAP or MD5 etc etc - thats the nature of such
a server.  why are you running in debug mode? you shouldnt for production
systems - the server sees the same sorts of logs as ther daemons - if
you dont run mailservers or web servers in full debugging mode you wouldnt
know that.  if you really dont like it then you can edit the source code
to replace the print function with eg "***obfuscated***" or such
and then hope that you never need to work with some obscure issue.
you might also want to check what logging/detail logging you have on.
a server can be configured to log good passwors to file and the detail.log
module will be slapping the password into auth_log files if not told not to.

this is also why you should be moving away from such passwords - challenge
response style passwords wont give you this issue.

alan


More information about the Freeradius-Users mailing list