[RADIATOR] How to get rid of passwords in configuration files
David Zych
dmrz at illinois.edu
Mon Aug 4 15:46:39 CDT 2014
On 08/04/2014 08:10 AM, Heikki Vatiainen wrote:
> On 07/30/2014 07:02 PM, Johannes Demel wrote:
>> I would like to hide all passwords and simular items from the radiator configuration file.
My current approach is to put each secret bit of information into a
one-line file like:
Secret correcthorsebatterystaple
or
DBAuth qwertyuiop
and then have the main config files do e.g.:
include %D/private/vpn.secret
as needed. Admittedly it's not as flexible as your proposed approach,
since they do still have to be plain-text files (whereas a GlobalVar can
be populated by any means you like), but it does successfully keep my
main config files secret-free.
> check all SQL clauses and modify the default ConnectionHook and
> NoConnectionsHook because by default they log the DBAuth password.
I've noticed that, and I really wish they didn't. Any chance of making
this a non-default behavior you have to explicitly turn on?
Thanks,
David
> There are quite likely a lot of secrets etc., that already have % in
> them and the change would break them all.
>
> However, one idea is to support %{GlobalVar:nnn} as the only formatter
> for these, and possibly some other, values.
P.S. FWIW, I like this idea. :)
More information about the radiator
mailing list