[RADIATOR] How to get rid of passwords in configuration files

David Zych dmrz at illinois.edu
Mon Aug 4 15:46:39 CDT 2014

On 08/04/2014 08:10 AM, Heikki Vatiainen wrote:
> On 07/30/2014 07:02 PM, Johannes Demel wrote:
>> I would like to hide all passwords and simular items from the radiator configuration file.

My current approach is to put each secret bit of information into a
one-line file like:

Secret correcthorsebatterystaple


DBAuth qwertyuiop

and then have the main config files do e.g.:
  include %D/private/vpn.secret

as needed.  Admittedly it's not as flexible as your proposed approach,
since they do still have to be plain-text files (whereas a GlobalVar can
be populated by any means you like), but it does successfully keep my
main config files secret-free.

> check all SQL clauses and modify the default ConnectionHook and
> NoConnectionsHook because by default they log the DBAuth password.

I've noticed that, and I really wish they didn't.  Any chance of making
this a non-default behavior you have to explicitly turn on?


> There are quite likely a lot of secrets etc., that already have % in
> them and the change would break them all.
> However, one idea is to support %{GlobalVar:nnn} as the only formatter
> for these, and possibly some other, values.

P.S.  FWIW, I like this idea.  :)

More information about the radiator mailing list