Re: radiusd logs good passwords even when told not to?
I have no need for a details log the data stored in /var/log/radius.log is
more than sufficient for me.
So by commenting out detail { } in the radiusd.conf file should stop this?
I know I'm running a ancient version of free radius.. sadly it's what RHEL
came with and it's what we have as 'stable'. I'll look at upgrading but I'm
afraid this is one of those wonderful 100% uptime required services.
Thanks again all,
-Tim Eberhard
On Tue, Jan 6, 2009 at 11:51 AM, wrote:
> Hi,
>
> > Background info:
>
> yes, ancient version
>
> > Our /etc/raddb/radiusd.conf clearly states to not log passwords:
> > # allowed values: {no, yes}
> > #
> > log_auth_badpass = no
> > log_auth_goodpass = no
>
> correct - in the main log
>
> > However it's logging good password auth's still..
> >
>
> no, this is the detail file - and you've enabled the
> detail logging module - which has an option for stopping
> the password from being logged...however, I think that
> was only from version 1.1.x - see the current version
> docs and/or the current config files from the recent
> release (download the tar.gz file, extract and then view
> the config.
>
> do you need or use the detail files in any of your
> processes? if not, then disable the detail module
> (comment out calls to it)
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd logs good passwords even when told not to?
addb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id"
Module: Instantiated acct_unique (acct_unique)
detail: detailfile = "/etc/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication 192.168.1.1:1812
Listening on accounting 192.168.1.1:1813
Ready to process requests.
rad_recv: Access-Request packet from host 10.10.10.10:2702, id=165,
length=53
User-Name = "username"
User-Password = "removed"
NAS-IP-Address = 10.10.10.10
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/etc/radacct/10.10.10.10/auth-detail-20090106'
rlm_detail: /etc/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to
/etc/radacct/10.10.10.10/auth-detail-20090106
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: No '@' in User-Name = "username", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched DEFAULT at 153
users: Matched username at 316
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
modcall[authenticate]: module "unix" returns ok for request 0
modcall: group authenticate returns ok for request 0
Login OK: [username] (from client hostname.com port 0)
Sending Access-Accept of id 165 to 10.10.10.10:2702
NS-Admin-Privilege = All-VSYS-Root-Admin
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
You can see it touched and updated the file with the new record..
# ll
total 4
-rw--- 1 root root 342 Jan 6 10:17 auth-detail-20090106
So why is it doing this? How can I stop it? Ideally I would like radius to
NOT store passwords in plain-text..
Any help is appreciated, thanks all!
-Tim Eberhard
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
