Suppress radpostauth password logging with unlang variable reference

[Alan DeKok]

On M
> 
> PostgreSQL datastore is logging passwords in plain text in the
> 'radpostauth' table for accepted and rejected requests. This is
> occurring even when 'auth_goodpass' and 'auth_badpass' are set to 'no'
> - which this looks to be only relevant to logging to radius.log.

  Yes.

> I could comment out '-sql' in the 'post-auth' section of the server or
> amend the queries.conf for sql to remove the password. However, for
> flexibility/simplicity I have looked into using unlang to suppress the
> attribute.
> 
> I would like to use the variable reference from radiusd.conf for
> auth_goodpass/auth_badpass to control whether the User-Password is
> suppressed ideally for efficiency.
> 
> The unlang is as follows in the 'post-auth' section of the default server:
> 
>     if (${log.auth_goodpass}) {
>        -sql
>    }
>    else {
>        suppress {
>            User-Password
>        }
>        -sql
>    }

  That won't work.  You can't just invent syntax and have it do what you want.

> This throws the below error:
> 
> /etc/freeradius/sites-enabled/default[919]: Parse error in condition
> /etc/freeradius/sites-enabled/default[919]: (${log.auth_goodpass}) {
> /etc/freeradius/sites-enabled/default[919]:  ^ Expected a module return code

  You have to check for a specific value:

	if ("${log.auth_goodpass}" == "yes") {
		...

  You also can't use a "suppress" block in the middle of an unlang processing section.  You have to use "update" to remove User-Password from the request:

	update request {
		User-Password !* ANY
	}

  Since the password isn't used for anything after post-auth, it's safe to delete it.

  Alan DeKok.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20260515/5890bfd9/attachment.sig>