[RADIATOR] How to get rid of passwords in configuration files

Johannes Demel demel at zid.tuwien.ac.at
Mon Aug 4 16:37:56 CDT 2014


On 08/04/2014 Heikki Vatiainen wrote: 
>On 07/30/2014 07:02 PM, Johannes Demel wrote:
>> I would like to hide all passwords and simular items from the radiator configuration file.
>> 
>> To do this, I wrote a startup-hook script, which reads all senstive Items into global variables
>> from a file (which can by encrypted) which I want to use in the configuration file.
>
>> where it does not work
>> ROCommunity     %{GlobalVar:SNMP_ro}
>> Secret                  %{GlobalVar:Client_localhost}
>> RcryptKey %{GlobalVar:Secret_rcrypt}
>
>After considering the options we are not going to change ROCommunity,
>Secret or RcryptKey to support full special character formatting.
>There are quite likely a lot of secrets etc., that already have % in
>them and the change would break them all.

I understand the compatibility problem

>However, one idea is to support %{GlobalVar:nnn} as the only formatter
>for these, and possibly some other, values. Supporting all formatters
>make no sense since many are derived from the current request, time or
>some other value that is meaningful for these parameters.

In my opinion it is a very good solution to do the parameter replacement only
when the secret/community/... consists only of %{GlobalVar:xxxxx} .
If someone really wants to do string concatenation of more then one variable
or with fix strings this can be done before setting a new GlobalVar.

Regards,
   Johannes

>Thanks,
>Heikki
>-- 
>Heikki Vatiainen <hvn at open.com.au>

----
Johannes Demel demel at zid.tuwien.ac.at Johannes.Demel at tuwien.ac.at
Information Technology Services, Head of Communication Group
Vienna University of Technology, Austria
Wiedner Hauptstrasse 8-10/020, A 1040 Wien, Austria
Tel: +43 (1) 58801-42040 Fax: +43(1) 58801-42099


More information about the radiator mailing list