Matt Ashfield wrote: > The issue we have is when running the Radius server in debug mode with full > log-level, we see the cilent's username and password in clear-text as it > attempts to bind to the LDAP server. Certainly we could change the debug > mode level to not see this, but the fact that the ability to see that is > available is troubling. I'm sure many others on this list use FreeRadius and > I'm wondering what sort of policies you have in place to address this > security risk. Anyone with high-level access to the box could certainly > login, make a change to the debug level and capture sensitive login > information.
This is an issue of your security policy. FreeRADIUS has access to LDAP. Anyone who is not trusted enough to touch LDAP, should not be touching FreeRADIUS. This is how most interdependent services work (Windows, Linux, or otherwise). Running the server in debugging mode should only be done during setup (and most likely on your dev box, not the production one). Once FreeRADIUS is working as it should, you shouldn't be running it in debug mode. An app like FreeRADIUS will always have access to the user/pass because it needs that info to talk to LDAP. Even if the debugging output didn't have the user/pass, then anyone with enough rights to start/stop the app can likely upload a hacked version of FreeRADIUS that does output the user/pass. It is just a matter of a print statement or two. The short answer is don't give high-level access to this box to people you don't trust. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html