Re: log clear passwords
On Thursday 28 August 2003 9:43 pm, Evren Yurtesen wrote: No, modifying sources wouldnt do any good, because when you use chap the password is not transmitted over the line. Thus there is no way for freeradius to know what password the client entered. yes and no -- while the password itself isn't necessarilly transmitted, the radius server is ultimately able to determine it was good or it was bad; for the case of good, the server ALREADY KNOWS the password [be it from the file or a database record] so logging a known value at that point should be trivial... -- Yet another Blog: http://osnut.homelinux.net pgp0.pgp Description: signature
Re: log clear passwords
Tom Emerson [EMAIL PROTECTED] wrote: yes and no -- while the password itself isn't necessarilly transmitted, the radius server is ultimately able to determine it was good or it was bad; for the case of good, the server ALREADY KNOWS the password [be it from the file or a database record] so logging a known value at that point should be trivial... Why would you want to log the password from the database? You can always look it up in the database, if you care what it is. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log clear passwords
Why would you want to log the password from the database? You can always look it up in the database, if you care what it is. In my case, we migrated 2000 dial up users to a new ISP. We were given a list of login and passwords, not fully updated with the real info in the client side. I want to log the clear text password to be able to say to the client you are typing XXX as password. It's incredible, but we have many dial up users who say Im typing X as password, but they are entering Y. Is just to give better support to clients. Omar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log clear passwords
Yet you can see that they type the password wrong. If you are using chap then you should accept that you cant learn more than that. As a matter of fact using CHAP is not any more secure than using PAP if you are using it for dialup. It is extremely difficult to spy on a dialup line anyhow (thus wouldnt worth for cracking either) If the password exchanged between the client and the NAS is not encrypted, who cares? :) The information exchanged between the NAS and the FreeRadius is already encrypted so there is also very little risk of compromising the security. The downside of using CHAP is if you lose your user database, then you are doomed. You must change every user's password doh. If the user forgets his password then it should be trivial to give a new one though. So for dialup environment, using PAP is actually acceptable. Also you can use PAP with cleartext passwords too if you want. Evren Omar Armas wrote: Why would you want to log the password from the database? You can always look it up in the database, if you care what it is. In my case, we migrated 2000 dial up users to a new ISP. We were given a list of login and passwords, not fully updated with the real info in the client side. I want to log the clear text password to be able to say to the client you are typing XXX as password. It's incredible, but we have many dial up users who say Im typing X as password, but they are entering Y. Is just to give better support to clients. Omar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log clear passwords
El Thu, 28 Aug 2003 12:33:12 -0500 Omar Armas [EMAIL PROTECTED] escribió: I have freeradius 0.9.0 under debian 3 with mysql authentication. I wanto that in raidus.log appear the clear text password in login failures. I have log_auth = yes, log_auth_badpass = yes, and in radius.log I get: Login incorrect (rlm_chap: Clear text password not available): [user/CHAP-Password] How should I configure radiusd.conf to make clear text passwords available in logfile? from my experience, you don't. Its a NAS feature that you have to change, if you use PAP you will see the misstyped password, but if you use CHAP as many, you won see the password... unless you modify the sources? -- Pablo Veliz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log clear passwords
You can not log passwords if you are using chap. Because no password is transmitted over the line. Try with pap if its ok. Evren Omar Armas wrote: I have freeradius 0.9.0 under debian 3 with mysql authentication. I wanto that in raidus.log appear the clear text password in login failures. I have log_auth = yes, log_auth_badpass = yes, and in radius.log I get: Login incorrect (rlm_chap: Clear text password not available): [user/CHAP-Password] How should I configure radiusd.conf to make clear text passwords available in logfile? Omar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log clear passwords
On Thu, Aug 28, 2003 at 01:58:29PM -0400, Pablo Veliz wrote: How should I configure radiusd.conf to make clear text passwords available in logfile? from my experience, you don't. Its a NAS feature that you have to change, if you use PAP you will see the misstyped password, but if you use CHAP as many, you won see the password... unless you modify the sources? Nope, CHAP is a one way hash. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log clear passwords
No, modifying sources wouldnt do any good, because when you use chap the password is not transmitted over the line. Thus there is no way for freeradius to know what password the client entered. Pablo Veliz wrote: El Thu, 28 Aug 2003 12:33:12 -0500 Omar Armas [EMAIL PROTECTED] escribió: I have freeradius 0.9.0 under debian 3 with mysql authentication. I wanto that in raidus.log appear the clear text password in login failures. I have log_auth = yes, log_auth_badpass = yes, and in radius.log I get: Login incorrect (rlm_chap: Clear text password not available): [user/CHAP-Password] How should I configure radiusd.conf to make clear text passwords available in logfile? from my experience, you don't. Its a NAS feature that you have to change, if you use PAP you will see the misstyped password, but if you use CHAP as many, you won see the password... unless you modify the sources? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
