Re: a bit off-topic policy question

Hi,

> The issue we have is when running the Radius server in debug mode with full
> log-level, we see the cilent's username and password in clear-text as it
> attempts to bind to the LDAP server. Certainly we could change the debug
> mode level to not see this, but the fact that the ability to see that is
> available is troubling. I'm sure many others on this list use FreeRadius and
> I'm wondering what sort of policies you have in place to address this
> security risk. Anyone with high-level access to the box could certainly
> login, make a change to the debug level and capture sensitive login
> information.

is there not a FAQ entry for this? its asked about once a month at least.

debug shows ALL. this allows you to see if you have a trivial issue
messing things up. its meant to be that way. if you dont want the usernames
and passwords to be logged then make the required changes to the configs
(by default freeradius will happily log PAP passwords etc into the SQL
logs, the detail logs etc!) and make the required change to the source code
so that full debugging will never print passwords.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html