[RADIATOR] Password logging not working..

Steve Phillips steve at focb.co.nz
Fri Mar 3 06:30:05 UTC 2023 

Hey there,

Thanks for that, this explains why the passwordlog directive wasn't 
working, however, I sort of solved this in a similar manner with my 
PreAuthHook wanting to log to a completely separate file that I had 
defined with a <Log> entry and 'Filename' which was identified by an 
identifier statement

<Log FILE>
     Identifier PASSWORDLOG
     Filename %L/%Y%m%d_password.log
</Log>

What I was wondering was how to say 'please write the messages to that 
file rather than the main radiator.log'

as..

     # Use the password log
     my $logger = &Radius::Configurable::find('Log', 'PASSWORDLOG');

Whit I would have assume would tie $logger to the FileName 
%L/%Y%m%d_password.log, but results in nothing being written when trying 
to capture an authentication request with

$logger->log($main::LOG_INFO, "user:$user, pass:$pass");

But if I use the 'main' logfile

&main::log($main::LOG_DEBUG, "PasswordDebug: user=>'$user', pass=>'$pass'");

It seems to write out data, which is undesirable as this then ends up in 
our centralised logging system causing a cleanup mess removing peoples 
passwords.

What am I doing wrong here? (heh, I mean besides trying to log peoples 
passwords..)

-- 
Steve.


On 2/3/2023 8:48 pm, Heikki Vatiainen via radiator wrote:
> On 1.3.2023 8.40, Steve Phillips via radiator wrote:
>
>> So I guess my questions are twofold;
>>
>> a) Why is the PasswordLogFile line not working?
>
> Likely because of this:
> https://files.radiatorsoftware.com/radiator/ref/Handler.html#PasswordLogFileName 
>
>
> "... Attempts where the user is not found, are not logged. ..."
>
> When there's a problem with fetching user information from LDAP, 
> Radiator won't log password information.
>
>> b) How can I get the PreAuthHook to write the passwords to the 
>> PASSWORDLOG identifier/log entry?
>
> You could do this to always log information from PreAuthHook:
> 1) Add an Identifier, for example 'Identifier abc-handler' within the 
> Handler
> 2) Within the hook, similar to $logger, 'my $handler = 
> Radius::Configurable::find('Handler', 'abc-handler');
> 3) For the selected usernames, call the password logger directly. For 
> example '$handler->logPassword($user, $pass, 'correct-pw-is-unknown', 
> 0, $p);"
>
> Parameter '0' (or any boolean false value) causes the password logger 
> to log 'FAIL'. Parameter 'correct-pw-is-unknown' is simply a 
> placeholder value because at this point there's no information what 
> the user's expected password might be. Note that when the user is 
> found, you should get two entries for the user; one from the hook and 
> the other from the configured password logging.
>
> It's possible also to arrange and use <Log ...> clauses for this, but 
> logging via PasswordLogFileName method also automatically turns itself 
> off when the configuration parameter is removed or commented out from 
> the configuration. This gives an additional visible hint that password 
> logging is currently enabled.
>
> Thanks,
> Heikki
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4484 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20230303/4dc221b4/attachment.p7s>

More information about the radiator mailing list