[RADIATOR] How to get rid of passwords in configuration files

Heikki Vatiainen hvn at open.com.au
Tue Aug 5 09:15:54 CDT 2014


On 08/04/2014 11:46 PM, David Zych wrote:

>> check all SQL clauses and modify the default ConnectionHook and
>> NoConnectionsHook because by default they log the DBAuth password.
> 
> I've noticed that, and I really wish they didn't.  Any chance of making
> this a non-default behavior you have to explicitly turn on?

I think we could simply change the hooks to log the DBAuth values as
'**obscured**' that's the placeholder value used in some other places
too. To turn it back on, the hook can be explicitly configured to log
the password too.

>> However, one idea is to support %{GlobalVar:nnn} as the only formatter
>> for these, and possibly some other, values.
> 
> P.S.  FWIW, I like this idea.  :)

I'll see if a patch can be made for this and let the list know when this
is available. Thanks to Johannes too for his comments.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list