Re: Free Radius 2.1.1 showing clear text password at the debug mode
Hi, >I'm new to Radius. So basically i tried to setup 2 Radius server, one runs >on our SLES 10 PROD (Radius and Novell LDAP sit on the same server) - this >is works fine using eap_mschapv2 authentication. Radius version is 1.X. We >use Radius to authenticate our wireless and get LDAP authentication. So no >issue with this. debugging is all about debugging - finding out the problems - hence things are shown. the password is shown because there could be a mismatch. back in the 1.x day some things were still opaqueongoing debates of 'users password is wrong' : 'oh no it isnt' : 'oh yes it is' : 'oh no it.oh wait, yes, their password was wrong'. pointless. >Second server - SLES 11 ; i get the installer directly from Novell and its >use version 2.1.1. So it seems the config way is different but i did try >match with the Radius 1.X config (just a dffierent module i guess). ummm, hope you didnt just copy/paste the configs. you need to ensure that the 2.x config has the right options pset...but not configured in the same way. there is a reason why its FreeRADIUS 2.x rather than 1.x - you need to adapt your config for the new version. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius 2.1.1 showing clear text password at the debug mode
thank you for your reply. Yes i didn't just copy and paste, i did follow the instruction on Novell support page too and from community. So what i want to confirm here, are you saying that means in debug mode its "normal" for me "admin" to see the user password? I mean it's normal behaviour of radius 2.1.1? Thanks -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius 2.1.1 showing clear text password at the debug mode
On 21.02.2013 10:15, Danny Kurniawan wrote:
> In Radius 1.x - SLES 10 when i run radiusd -X ; i don't see the user
> password (which is good). but in Radius 2.1.1 i can see it clearly ...
> how can i eliminate this cleartext password being showed there? I'm new
> to this authentication method or eap_mschap protocol, so please bear
> with me :)
>
> /[peap] Got tunnled request
> EAP-Message = 0x020a00061a03
> server (null) {
> PEAP: Setting User-Name to sdholakia2
> Sending tunneled request
> EAP-Message = 0x020a00061a03
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = "sdholakia2"
> State = 0xf32f92c4f22588e5c2ccbfc052ff2f65
> server inner-tunnel {
> +- entering group authorize {...}
> ++[chap] returns noop
> ++[control] returns noop
> ++[mschap] returns noop
> ++[unix] returns notfound
> ++[control] returns notfound
> [eap] EAP packet type response id 10 length 6
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> [ldap] performing user authorization for sdholakia2
> [ldap] expand: (uid=%u) -> (uid=sdholakia2)
> [ldap] expand: ou=Active,ou=Users,o=FSID -> ou=Active,ou=Users,o=FSID
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=Active,ou=Users,o=FSID, with filter
> (uid=sdhoakia2)
> [ldap] Added the eDirectory password Test in check items as
> Cleartext-Passwrd
> [ldap] looking for check items in directory.../
That's how it has been hard-coded in FR2.X and FR3. It is indeed
arguable. For debugging eDirectory integration, it's quite nice. But you
really have to restrict access to the freeradius server, so no one can
start it with -X or run radmin debug.
We could by default not output the password, and if you really need to
see it, just echo control:Cleartext-Password after ldap.authorize
Olivier
--
Olivier Beytrison
Network & Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius 2.1.1 showing clear text password at the debug mode
Hi Oliver, Thanks a lot. So could you please let me know how can i disabled the output (which conf file and what need to be added). Also by saying echo it do i need to put something into a config file or just echo command while i'm at radiusd - X debug mode? Thanks Danny -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius 2.1.1 showing clear text password at the debug mode
Hi, >So what i want to confirm here, are you saying that means in debug mode >its "normal" for me "admin" to see the user password? I mean it's normal >behaviour of radius 2.1.1? yes. its normal behaviour - debug mode is for trouble-shooting/problem-solving not a mode you would run in a day to day basis. the server KNOWS the password..its stored in variables and arrays so if a 'bad guy' has access to the server they could get that password anywayin more trivial ways (such as logging it when a request came through). some sites do such things for enabling migration from one service to another...eg grab and put into another store etc... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius 2.1.1 showing clear text password at the debug mode
On Thu, Feb 21, 2013 at 05:58:14PM +0800, Danny Kurniawan wrote: > Thanks a lot. So could you please let me know how can i disabled the output > (which conf file and what need to be added). Also by saying echo it do i > need to put something into a config file or just echo command while i'm at > radiusd - X debug mode? You can't - FreeRADIUS dumps the entire incoming packet out in clear text when in debug mode. If you don't want to debug things, don't run it in debug mode. With PAP the password is sent in (effectively) clear text. If you don't want to ever see the password then you need to use something different that can handle auth without plaintext passwords. Cheers Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius 2.1.1 showing clear text password at the debug mode
Hi, >Thanks a lot. So could you please let me know how can i disabled the >output (which conf file and what need to be added). Also by saying echo it >do i need to put something into a config file or just echo command while >i'm at radiusd - X debug mode? you'll need to edit the source code but as already said, you can simply add config to echo it to screen/file anywayso if someone has access to the server they can get the details anyway. are you planning on running the server in debug mode all the time? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
