log *** instead of actual User-Password in postauth_query

Arran Cudbard-Bell a.cudbardb at freeradius.org
Mon Feb 24 18:44:36 CET 2014

On 24 Feb 2014, at 17:17, Michael Weissenbacher <mw at dermichi.com> wrote:

> Dear List!
> I am wondering if there is a way to convert a password to a number of asterisk symbols (*) matching the length of the actual password using unlang.
> For obvious reasons i do not want to log the cleartext password in radpostauth. But i don't want to completely omit the field either. Changing the postauth_query in dialup.conf is pretty straightforward, but i could not figure out how to replace the password with the exact same number of * symbols. The best i could come up with so far is:
> %{%{#User-Password}:-0}
> Which outputs the length of the password as a number. Is there a straightforward way to achieve what i want?

Surely %{%{#User-Password}:-0} is superior to outputting asterixes... Then you don't have to count the asterixes to know what length the password was?

The various SQL dialects support padding string with arbitrary chars, so you can probably edit the post-auth queries to do what you want.


Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140224/d49daba3/attachment-0001.pgp>

More information about the Freeradius-Users mailing list