suggestion for -X and sensitive data
mzagrabe at d.umn.edu
Tue Dec 1 16:13:46 CET 2020
Reading through the documentation at:
It states to include the full output of radiusd -X. I do believe that the
full output includes sensitive information, like passwords, that should not
be posted to the mailing list.
What do folks think about replacing sensitive information in the output
with "removed" or "sensitive data removed", etc?
Personally, I think -X could use this new mode by default, and also add an
option to not remove sensitive info.
The new behavior could be:
radiusd -X # no sensitive data leaked
radiusd -X --include-sensitive # sensitive data included
Alternatively, if you don't want to change the workings of -X, then perhaps
add a new option that mimics -X but removes sensitive information. You
could copy ssh (-X vs -Y) and choose -Y.
radiusd -X # no change - same as today
radiusd -Y # just like current -X, but no sensitive data
Then advertise radiusd -Y in the wiki if the wiki is going to recommend
users post the full output of their radiusd in debug.
Just some thoughts.
Have a good day!
More information about the Freeradius-Users