[RADIATOR] (RADIATOR) Patch to hide user password whenusingtacacs+ and trace 4, 5
Peter Havekes
p.havekes at avans.nl
Tue Jun 9 10:08:48 CDT 2009
When using EAP-TTLS + PAP the cleartext passwords are also being logged
at trace level 5. Is this a feature or a bug?
See example logging (xxxxxxx's are the password):
Code: Access-Request
Identifier: 151
Authentic: <0><167>v<251>rtY<18>4<131><231>r?<208><8>M
Attributes:
NAS-Port-Id = "AP11/1"
Calling-Station-Id = "00-02-78-DF-B5-E5"
Called-Station-Id = "00-0B-0E-29-51-C2:eduroam"
Service-Type = Framed-User
User-Name = "anonymous at avans.nl"
NAS-Port = 46947
EAP-Message =
<2><9><0>S<21><0><23><3><1><0>Hf<151><149><163><15><152><249><31><141><168><161>Uc3?K<133><203><241>\V<195>=:<3>C<139>ik<245>#.<133><1
NAS-Port-Type = 19
NAS-IP-Address = 145.48.82.51
NAS-Identifier = "Trapeze"
Message-Authenticator =
<149><175>Sq@<156><248><128>-<142><143><198><236><170><153><165>
Tue Jun 9 10:51:49 2009: DEBUG: Handling request with Handler
'Called-Station-Id=/.*eduroam.*/,Realm=avans.nl,User-Name=/@/'
Tue Jun 9 10:51:49 2009: DEBUG: Deleting session for anonymous at avans.nl,
145.48.82.51, 46947
Tue Jun 9 10:51:49 2009: DEBUG: Handling with Radius::AuthFILE:
Tue Jun 9 10:51:49 2009: DEBUG: Handling with EAP: code 2, 9, 83, 21
Tue Jun 9 10:51:49 2009: DEBUG: Response type 21
Tue Jun 9 10:51:49 2009: DEBUG: EAP TTLS data, 3, 9, 8
Tue Jun 9 10:51:49 2009: DEBUG: TTLS Tunnelled Diameter Packet dump:
Code: UNDEF
Identifier: UNDEF
Authentic: UNDEF
Attributes:
User-Name = "phavekes at avans.nl"
User-Password = "xxxxxxxxxxxxxxxxx"
Mike McCauley wrote:
> Hello Markus,
>
> On Monday 08 June 2009 08:43:10 pm Markus Moeller wrote:
>
>> Hi Mike,
>>
>> I can't see what has changed. Can you point me to which file has changed
>> please ?
>>
>
> ServerTACACSPLUS.pm, about line 682.
>
> Cheers.
>
>
>> Thank you
>> Markus
>> ----- Original Message -----
>> From: "Mike McCauley" <mikem at open.com.au>
>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>> Cc: <radiator at open.com.au>
>> Sent: Friday, June 05, 2009 11:26 PM
>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password
>> whenusingtacacs+ and trace 4, 5
>>
>>
>>> Hello Markus,
>>>
>>> thanks for your note.
>>> Our analysis shows that the fix required was different to the one you
>>> sent.
>>> However, we have made the appropriate fix, and it is now available in the
>>> latest patch set.
>>> We apologise for any inconvenience.
>>>
>>> Please let me know how you get on.
>>> Cheers.
>>>
>>> On Saturday 06 June 2009 05:54:14 am Markus Moeller wrote:
>>>
>>>> Sorry it seems I overlooked another place where the TACACS password is
>>>> logged in clear.
>>>>
>>>> Would it be possible to change in line 573 in ServerTACACSPLUS.pm the
>>>> following:
>>>>
>>>> &main::log($main::LOG_DEBUG, "TACACSPLUS derived Radius request
>>>> packet
>>>> dump:\n" . $tp->dump)
>>>> if (&main::willLog($main::LOG_DEBUG, $self->{parent}));
>>>>
>>>> to (or similar):
>>>>
>>>> my $dump = $tp->dump;
>>>> $dump =~ s/User-Password = .*\n/User-Password = XXX\n/g;
>>>> $dump =~ s/User-Password = .*$/User-Password = XXX/g;
>>>> &main::log($main::LOG_DEBUG, "TACACSPLUS derived Radius request
>>>> packet
>>>> dump:\n" . $dump)
>>>> if (&main::willLog($main::LOG_DEBUG, $self->{parent}));
>>>>
>>>> Thank you
>>>> Markus
>>>>
>>>>
>>>>
>>>> ----- Original Message -----
>>>> From: "Markus Moeller" <huaraz at moeller.plus.com>
>>>> To: "Mike McCauley" <mikem at open.com.au>; <radiator at open.com.au>
>>>> Sent: Sunday, January 25, 2009 12:25 PM
>>>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password
>>>> whenusingtacacs+ and trace 4, 5
>>>>
>>>>
>>>>> Thank you
>>>>> Markus
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "Mike McCauley" <mikem at open.com.au>
>>>>> To: <radiator at open.com.au>
>>>>> Cc: "Markus Moeller" <huaraz at moeller.plus.com>
>>>>> Sent: Saturday, January 24, 2009 11:37 PM
>>>>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
>>>>> usingtacacs+ and trace 4, 5
>>>>>
>>>>>
>>>>>> Hello Markus,
>>>>>>
>>>>>> On Thursday 22 January 2009 07:34:43 am Markus Moeller wrote:
>>>>>>
>>>>>>> Sorry, but what are your thoughts on this now ?
>>>>>>>
>>>>>> We have now made changes to Tacacs+ authentication so that the
>>>>>> plaintext
>>>>>> password is not logged, even at DEBUG level.
>>>>>>
>>>>>> The change is now in the latesst patch set.
>>>>>>
>>>>>> Thanks for your suggestion.
>>>>>>
>>>>>> Cheers.
>>>>>>
>>>>>>
>>>>>>> Thank you
>>>>>>> Markus
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>> From: "Markus Moeller" <huaraz at moeller.plus.com>
>>>>>>> To: "Hugh Irvine" <hugh at open.com.au>
>>>>>>> Cc: <radiator at open.com.au>
>>>>>>> Sent: Thursday, January 15, 2009 8:30 PM
>>>>>>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
>>>>>>> usingtacacs+ and trace 4, 5
>>>>>>>
>>>>>>>
>>>>>>>> Hugh,
>>>>>>>>
>>>>>>>> I am a bit surprised about your answer. One of the difference
>>>>>>>> between Tacacs+ and Radius is that Tacacs+ encrypts the whole
>>>>>>>> communication between the NAS device and the Tacacs server and
>>>>>>>> sends
>>>>>>>> all AV pairs in clear through the encrypted "tunnel" (The same way
>>>>>>>> as
>>>>>>>> EAP-TLS does), whereas Radius uses clear text communication with
>>>>>>>> an encrypted password
>>>>>>>> in the password AV pair. So when you dump the AV pairs for Tacacs+
>>>>>>>> (and
>>>>>>>> EAP-TLS) it is after decrypting the tunnel, so it is all visible.
>>>>>>>> When you dump the AV pairs with Radius you have still the
>>>>>>>> encrypted password.
>>>>>>>>
>>>>>>>> Here is a trace 4 output, where XXX is the password.
>>>>>>>>
>>>>>>>> Thu Jan 15 10:41:41 2009: DEBUG: TacacsplusConnection
>>>>>>>> Authentication
>>>>>>>> CONTINUE 0, markus,
>>>>>>>> Thu Jan 15 10:41:41 2009: DEBUG: TacacsplusConnection
>>>>>>>> Authentication
>>>>>>>> REPLY 5, 1, Password: ,
>>>>>>>> Thu Jan 15 10:41:43 2009: DEBUG: TacacsplusConnection request 192,
>>>>>>>> 1,
>>>>>>>> 5,
>>>>>>>> 0, 3401247729, 14
>>>>>>>> Thu Jan 15 10:41:43 2009: DEBUG: TacacsplusConnection
>>>>>>>> Authentication
>>>>>>>> CONTINUE 0, XXX,
>>>>>>>> Thu Jan 15 10:41:43 2009: DEBUG: TACACSPLUS derived Radius request
>>>>>>>> packet
>>>>>>>> dump:
>>>>>>>> Code: Access-Request
>>>>>>>> Identifier: UNDEF
>>>>>>>> Authentic: N<244>d]<242><195><216><219>X<176><253>
>>>>>>>> <19><127><137><183>
>>>>>>>> Attributes:
>>>>>>>> NAS-IP-Address = 10.1.3.1
>>>>>>>> NAS-Port-Id = "tty18"
>>>>>>>> Calling-Station-Id = "10.2.5.2"
>>>>>>>> Service-Type = Login-User
>>>>>>>> AuthType = tacacs
>>>>>>>> User-Name = "markus"
>>>>>>>> User-Password = XXX
>>>>>>>> DeviceType = generic
>>>>>>>> DeviceGroup = global
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards
>>>>>>>> Markus
>>>>>>>>
>>>>>>>> ----- Original Message -----
>>>>>>>> From: "Hugh Irvine" <hugh at open.com.au>
>>>>>>>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>>>>>>>> Cc: <radiator at open.com.au>
>>>>>>>> Sent: Thursday, January 15, 2009 1:06 AM
>>>>>>>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password
>>>>>>>> when using
>>>>>>>> tacacs+ and trace 4, 5
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hello Markus -
>>>>>>>>>
>>>>>>>>> Can we first of all determine whether or not Radiator logs
>>>>>>>>> cleartext
>>>>>>>>> passwords?
>>>>>>>>>
>>>>>>>>> We don't think it does, but if we are wrong please correct us.
>>>>>>>>>
>>>>>>>>> Our reluctance has to do with the fact that a simple protocol
>>>>>>>>> sniffer will show you exactly the same thing as is shown by
>>>>>>>>> Radiator
>>>>>>>>> - ie. obfuscated passwords.
>>>>>>>>>
>>>>>>>>> Our reluctance is also due to the fact that a debug is meant to
>>>>>>>>> provide
>>>>>>>>> all of the information needed to fix problems - and the biggest
>>>>>>>>> problem
>>>>>>>>> tends to be with passwords.
>>>>>>>>>
>>>>>>>>> If you can show us that Radiator is logging cleartext passwords
>>>>>>>>> we will
>>>>>>>>> look at fixing it.
>>>>>>>>>
>>>>>>>>> If Radiator is logging the same packet data as shown by a
>>>>>>>>> sniffer, then
>>>>>>>>> we probably won't change anything.
>>>>>>>>>
>>>>>>>>> regards
>>>>>>>>>
>>>>>>>>> Hugh
>>>>>>>>>
>>>>>>>>> On 15 Jan 2009, at 08:38, Markus Moeller wrote:
>>>>>>>>>
>>>>>>>>>> Sorry to be persistent, but I don't understand your
>>>>>>>>>> unwillingness to hide the password during trace. Let me try to
>>>>>>>>>> explain again why
>>>>>>>>>> I need
>>>>>>>>>> it.
>>>>>>>>>>
>>>>>>>>>> We want to use Radiator as main Radius and Tacacs
>>>>>>>>>> authentication server which forwards the requests to our central
>>>>>>>>>> Active Directory
>>>>>>>>>> for
>>>>>>>>>> password verification. The server will be maintained by an
>>>>>>>>>> operations
>>>>>>>>>> team of several people, who from time to time need to add
>>>>>>>>>> devices
>>>>>>>>>> and
>>>>>>>>>> troubleshoot issues. They are not always skilled enough to know
>>>>>>>>>> what
>>>>>>>>>> trace level to use (e.g. 3,4 or higher (usually highest is best
>>>>>>>>>> for them)), so they would see during troubleshooting user
>>>>>>>>>> passwords which
>>>>>>>>>> possibly go into log files. Our internal audit would not accept
>>>>>>>>>> such a
>>>>>>>>>> solution. They are saying "You don't leave your cash openly on
>>>>>>>>>> your desk in the office. You will put it in the drawer even if
>>>>>>>>>> it
>>>>>>>>>> is unlocked to avoid any temptation." It is not against
>>>>>>>>>> malicious
>>>>>>>>>> users
>>>>>>>>>> as we know there are always ways to get around for privileged
>>>>>>>>>> users,
>>>>>>>>>> but they have to actively break rules to get to passwords.
>>>>>>>>>>
>>>>>>>>>> A custom solution is also not acceptable as any patch need to be
>>>>>>>>>> verified against the changes etc....
>>>>>>>>>>
>>>>>>>>>> Could you reconsider your answer ?
>>>>>>>>>>
>>>>>>>>>> Thank you
>>>>>>>>>> Markus
>>>>>>>>>>
>>>>>>>>>> ----- Original Message ----- From: "Hugh Irvine"
>>>>>>>>>> <hugh at open.com.au>
>>>>>>>>>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>>>>>>>>>> Cc: <radiator at open.com.au>
>>>>>>>>>> Sent: Wednesday, January 14, 2009 7:02 AM
>>>>>>>>>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password
>>>>>>>>>> when
>>>>>>>>>> using tacacs+ and trace 4, 5
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Hello Markus -
>>>>>>>>>>>
>>>>>>>>>>> All I can suggest is your own custom code.
>>>>>>>>>>>
>>>>>>>>>>> regards
>>>>>>>>>>>
>>>>>>>>>>> Hugh
>>>>>>>>>>>
>>>>>>>>>>> On 14 Jan 2009, at 10:57, Markus Moeller wrote:
>>>>>>>>>>>
>>>>>>>>>>>> I still would like to see the password hidden during debug.
>>>>>>>>>>>> What
>>>>>>>>>>>> would convince you to include it ?
>>>>>>>>>>>>
>>>>>>>>>>>> Thank you
>>>>>>>>>>>> Markus
>>>>>>>>>>>>
>>>>>>>>>>>> ----- Original Message ----- From: "Markus Moeller"
>>>>>>>>>>>> <huaraz at moeller.plus.com
>>>>>>>>>>>>
>>>>>>>>>>>> To: "Bjoern A. Zeeb" <bz-lists at cksoft.de>
>>>>>>>>>>>> Cc: <radiator at open.com.au>
>>>>>>>>>>>> Sent: Monday, March 10, 2008 1:11 AM
>>>>>>>>>>>> Subject: Re: (RADIATOR) Patch to hide user password when using
>>>>>>>>>>>> tacacs + and trace 4,5
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>> On Sun, 9 Mar 2008, Markus Moeller wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The User-Password attribute is encoded when Radius is used
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>> the logging with trace 4 or 5 does not reveal the password.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> You mean the password is ot revealed because it is "mangled/
>>>>>>>>>>>>>> obfucated"?
>>>>>>>>>>>>>>
>>>>>>>>>>>>> Yes
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> You know the authenticator, you know the secret thus you
>>>>>>>>>>>>>> know the
>>>>>>>>>>>>>> plaintext password when looking at your tracelevel 4 logs.
>>>>>>>>>>>>>>
>>>>>>>>>>>>> I also forward messages with syslog to a central syslog
>>>>>>>>>>>>> server for
>>>>>>>>>>>>> monitoring (although ususally not with trace 4,5 but can
>>>>>>>>>>>>> happen
>>>>>>>>>>>>> when debugging)
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> If you say, but if joe random on that machine sees the logs
>>>>>>>>>>>>>> he
>>>>>>>>>>>>>> doesn't
>>>>>>>>>>>>>> know the secret, then it's a matter of the
>>>>>>>>>>>>>> ownership/permissions of your logfiles as it would be of
>>>>>>>>>>>>>> your radius configuration.
>>>>>>>>>>>>>>
>>>>>>>>>>>>> I may have logfiles readable for operators but not the
>>>>>>>>>>>>> clients file
>>>>>>>>>>>>> with the secrects
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> A tracelevel > 3 is there for aiding in debugging and it's
>>>>>>>>>>>>>> pretty
>>>>>>>>>>>>>> obvious that you can get a lot of information that way to
>>>>>>>>>>>>>> find
>>>>>>>>>>>>>> a problem. That's how the system is designed to work.
>>>>>>>>>>>>>>
>>>>>>>>>>>>> True, but for example the radius code has also a section
>>>>>>>>>>>>> commented
>>>>>>>>>>>>> to not log the cleartext password.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> just my 2cts.
>>>>>>>>>>>>>>
>>>>>>>>>>>>> Thank you
>>>>>>>>>>>>> Markus
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Dipl. Ing. (BA) Bjoern A. Zeeb Research &
>>>>>>>>>>>>>> Development
>>>>>>>>>>>>>> CK Software GmbH
>>>>>>>>>>>>>> http://www.cksoft.de/ Schwarzwaldstr. 31
>>>>>>>>>>>>>> Phone: +49 7452 889 135
>>>>>>>>>>>>>> D-71131 Jettingen Fax: +49 7452 889
>>>>>>>>>>>>>> 136 HRB245288, Amtsgericht Stuttgart
>>>>>>>>>>>>>> Geschaeftsfuehrer: Christian Kratzer
>>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>>>>>>>>> Announcements on radiator-announce at open.com.au
>>>>>>>>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>>>>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> radiator mailing list
>>>>>>>>>>>> radiator at open.com.au
>>>>>>>>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>>>>>>>>
>>>>>>>>>>> NB:
>>>>>>>>>>>
>>>>>>>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>>>>>>>> Have you searched the mailing list archive
>>>>>>>>>>> (www.open.com.au/archives/radiator)?
>>>>>>>>>>> Have you had a quick look on Google (www.google.com)?
>>>>>>>>>>> Have you included a copy of your configuration file (no
>>>>>>>>>>> secrets),
>>>>>>>>>>> together with a trace 4 debug showing what is happening?
>>>>>>>>>>> Have you checked the RadiusExpert wiki:
>>>>>>>>>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>>>>>>>>> server
>>>>>>>>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>>>>>>>>> Includes support for reliable RADIUS transport (RadSec),
>>>>>>>>>>> and DIAMETER translation agent.
>>>>>>>>>>> -
>>>>>>>>>>> Nets: internetwork inventory and management - graphical,
>>>>>>>>>>> extensible,
>>>>>>>>>>> flexible with hardware, software, platform and database
>>>>>>>>>>> independence.
>>>>>>>>>>> -
>>>>>>>>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>>>>>>>>> systems.
>>>>>>>>>>>
>>>>>>>>> NB:
>>>>>>>>>
>>>>>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>>>>>> Have you searched the mailing list archive
>>>>>>>>> (www.open.com.au/archives/radiator)?
>>>>>>>>> Have you had a quick look on Google (www.google.com)?
>>>>>>>>> Have you included a copy of your configuration file (no secrets),
>>>>>>>>> together with a trace 4 debug showing what is happening?
>>>>>>>>> Have you checked the RadiusExpert wiki:
>>>>>>>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>>>>>>> server
>>>>>>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>>>>>>> Includes support for reliable RADIUS transport (RadSec),
>>>>>>>>> and DIAMETER translation agent.
>>>>>>>>> -
>>>>>>>>> Nets: internetwork inventory and management - graphical,
>>>>>>>>> extensible,
>>>>>>>>> flexible with hardware, software, platform and database
>>>>>>>>> independence. -
>>>>>>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>>>>>>> systems.
>>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> radiator mailing list
>>>>>>>> radiator at open.com.au
>>>>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> radiator mailing list
>>>>>>> radiator at open.com.au
>>>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>>>
>>>>>> --
>>>>>> Mike McCauley mikem at open.com.au
>>>>>> Open System Consultants Pty. Ltd
>>>>>> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
>>>>>> http://www.open.com.au Phone +61 7 5598-7474
>>>>>> Fax +61 7 5598-7070
>>>>>>
>>>>>> Radiator: the most portable, flexible and configurable RADIUS server
>>>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
>>>>>> TLS,
>>>>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, DIAMETER etc. Full source
>>>>>> on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>>>>>
>>>>> _______________________________________________
>>>>> radiator mailing list
>>>>> radiator at open.com.au
>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>
>>> --
>>> Mike McCauley mikem at open.com.au
>>> Open System Consultants Pty. Ltd
>>> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
>>> http://www.open.com.au
>>> Phone +61 7 5598-7474 Fax +61 7 5598-7070
>>>
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
>>> on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>>
>
>
>
>
---------------------------------------------------------------------------
Op deze e-mail zijn de volgende voorwaarden van toepassing:
The following conditions apply to this e-mail:
http://emaildisclaimer.avans.nl
---------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20090609/80e37cac/attachment-0001.html
More information about the radiator
mailing list