Re: radiusd logs good passwords even when told not to?
I have no need for a details log the data stored in /var/log/radius.log is more than sufficient for me. So by commenting out detail { } in the radiusd.conf file should stop this? I know I'm running a ancient version of free radius.. sadly it's what RHEL came with and it's what we have as 'stable'. I'll look at upgrading but I'm afraid this is one of those wonderful 100% uptime required services. Thanks again all, -Tim Eberhard On Tue, Jan 6, 2009 at 11:51 AM, wrote: > Hi, > > > Background info: > > yes, ancient version > > > Our /etc/raddb/radiusd.conf clearly states to not log passwords: > > # allowed values: {no, yes} > > # > > log_auth_badpass = no > > log_auth_goodpass = no > > correct - in the main log > > > However it's logging good password auth's still.. > > > > no, this is the detail file - and you've enabled the > detail logging module - which has an option for stopping > the password from being logged...however, I think that > was only from version 1.1.x - see the current version > docs and/or the current config files from the recent > release (download the tar.gz file, extract and then view > the config. > > do you need or use the detail files in any of your > processes? if not, then disable the detail module > (comment out calls to it) > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd logs good passwords even when told not to?
addb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" Module: Instantiated acct_unique (acct_unique) detail: detailfile = "/etc/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication 192.168.1.1:1812 Listening on accounting 192.168.1.1:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.10.10.10:2702, id=165, length=53 User-Name = "username" User-Password = "removed" NAS-IP-Address = 10.10.10.10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/etc/radacct/10.10.10.10/auth-detail-20090106' rlm_detail: /etc/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /etc/radacct/10.10.10.10/auth-detail-20090106 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 rlm_realm: No '@' in User-Name = "username", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched DEFAULT at 153 users: Matched username at 316 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns ok for request 0 modcall: group authenticate returns ok for request 0 Login OK: [username] (from client hostname.com port 0) Sending Access-Accept of id 165 to 10.10.10.10:2702 NS-Admin-Privilege = All-VSYS-Root-Admin Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... You can see it touched and updated the file with the new record.. # ll total 4 -rw--- 1 root root 342 Jan 6 10:17 auth-detail-20090106 So why is it doing this? How can I stop it? Ideally I would like radius to NOT store passwords in plain-text.. Any help is appreciated, thanks all! -Tim Eberhard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html