[RADIATOR] How to get rid of passwords in configuration files

Heikki Vatiainen hvn at open.com.au
Mon Aug 4 08:10:10 CDT 2014 

On 07/30/2014 07:02 PM, Johannes Demel wrote:
> I would like to hide all passwords and simular items from the radiator configuration file.
> 
> To do this, I wrote a startup-hook script, which reads all senstive Items into global variables
> from a file (which can by encrypted) which I want to use in the configuration file.

That's an interesting approach. Also, while you are at it, you may want
to check all SQL clauses and modify the default ConnectionHook and
NoConnectionsHook because by default they log the DBAuth password.

> This works fine in some cases, but did not work in other statements:
> 
> Where it works:
> DBAuth          %{GlobalVar:SQLAuth}
> GetClientQuery          select NASIDENTIFIER, %{Quote:%{GlobalVar:Client_8021x}} ......
> 
> where it does not work
> ROCommunity     %{GlobalVar:SNMP_ro}
> Secret                  %{GlobalVar:Client_localhost}
> RcryptKey %{GlobalVar:Secret_rcrypt}
> 
> In the case, when it does not work, the complete string (eg %{GlobalVar:Client_localhost})
> is used for secret / password. 
> Is this intentional or a bug. 

This is intentional in the sense that these parameters have never
supported % specials. The configuration parameters do not automatically
support special formatting characters.

After considering the options we are not going to change ROCommunity,
Secret or RcryptKey to support full special character formatting.

There are quite likely a lot of secrets etc., that already have % in
them and the change would break them all.

However, one idea is to support %{GlobalVar:nnn} as the only formatter
for these, and possibly some other, values. Supporting all formatters
make no sense since many are derived from the current request, time or
some other value that is meaningful for these parameters.

Comments?

Thanks,
Heikki



> How can I get rid of all passwords from the configuration file (without a preprocessor
> of the configuration file).

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list