On 1/8/07, Matt Ashfield <[EMAIL PROTECTED]> wrote:
The issue we have is when running the Radius server in debug mode with full
log-level, we see the cilent's username and password in clear-text as it
attempts to bind to the LDAP server. Certainly we could change the debug
mode level to not see this, but the fact that the ability to see that is
available is troubling. I'm sure many others on this list use FreeRadius and
I'm wondering what sort of policies you have in place to address this
security risk. Anyone with high-level access to the box could certainly
login, make a change to the debug level and capture sensitive login
information.
Then again, someone with "high-level access" to the machine could
install their own, trojaned copy of radiusd and associated rootkit to
hide it, which really makes this a moot point, yes?
That's one example -- there's numerous other things they could do to
get the passwords.
If you don't trust someone in your organization not to do this, why
are you giving them "high-level" access in the first place?
--
Jeremy L. Gaddis, MCP, GCWN
http://www.linuxwiz.net/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
