suggestion for -X and sensitive data

Alan DeKok aland at
Tue Dec 1 19:35:10 CET 2020

On Dec 1, 2020, at 10:13 AM, Matt Zagrabelny via Freeradius-Users <freeradius-users at> wrote:
> Reading through the documentation at:
> It states to include the full output of radiusd -X. I do believe that the
> full output includes sensitive information, like passwords, that should not
> be posted to the mailing list.

  Some of the sensitive information is removed, like shared secrets.

  Other than that, it's difficult to know what's sensitive and what isn't.  User-Password is simple perhaps.  But there are many protocols used in FreeRADIUS, each of which has their own issues.  Should the MS-CHAP data be omitted?  If so, what about EAP-MSCHAP?

> What do folks think about replacing sensitive information in the output
> with "removed" or "sensitive data removed", etc?
> Personally, I think -X could use this new mode by default, and also add an
> option to not remove sensitive info.

  I'm fine with removing sensitive data.  The questions are:

a) what is sensitive
b) how do you remove it.

  These issues aren't trivial.  I suggest attempting to make a patch which is both understandable, and works.  The process will be educational.

  Alan DeKok.

More information about the Freeradius-Users mailing list