[RADIATOR] Hiding the LDAP Password attribute on Trace level 4 [SEC=UNCLASSIFIED]

Vangelis Kyriakakis vkyriak at forthnet.gr
Mon Oct 13 02:24:20 CDT 2014 

Hello all,

       This separation of DEBUG levels would be great. Usually many
persons can view the DEBUG level logs but we don't want all these
persons to be able to see the user passwords. If the problem is related
to a bad password a couple of trusted personnel can see the password
debugging logs. Moreover, when we send radius logs to a vendor we want
to be sure that no password is leftover.
       So, what Hugh suggests would be a very welcome addition.

              Regards
                    Vangelis

On 13/10/2014 2:38 πμ, Keith Morrell wrote:
> UNCLASSIFIED
> Yes, ideal solution. 
>
> I agree DEBUG should show all...but having the passwords in clear text in the logs is generally undesirable.
>
> Thanks Hugh.
>
> -Keith
>
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Monday, 13 October 2014 10:35 AM
> To: Keith Morrell
> Cc: Alan Buxey; Vangelis Kyriakakis; Radiator
> Subject: Re: [RADIATOR] Hiding the LDAP Password attribute on Trace level 4 [SEC=UNCLASSIFIED]
>
>
> Hi all -
>
> We discussed this at length many times over the years and our decision was always that "DEBUG" meant show everything that is going on, otherwise debugging is very hard.
>
> I suppose we could consider two levels: "DEBUG" as it is now, and "DEBUGWITHOUTPASSWORDS" with passwords obscured.
>
> Thoughts?
>
> regards
>
> Hugh
>
>
> On 13 Oct 2014, at 08:57, Keith Morrell <KeithMorrell at nbnco.com.au> wrote:
>
>> UNCLASSIFIED
>>
>> We use debug level 4 on all our subprocesses (we use radiator proxies for front ends) to gather detailed data about what's going on - it's just the way we like it.
>>  
>> Personally, I think showing any passwords in clear text in logs is 
>> generally not a good idea...
>>  
>> -Keith
>>  
>>  
>> From: Alan Buxey [mailto:A.L.M.Buxey at lboro.ac.uk]
>> Sent: Monday, 13 October 2014 8:49 AM
>> To: Keith Morrell; Vangelis Kyriakakis; Radiator
>> Subject: Re: [RADIATOR] Hiding the LDAP Password attribute on Trace 
>> level 4 [SEC=UNCLASSIFIED]
>>  
>> Why would you be running in this mode? Surely only debug level that 
>> high for debugging? And how could you be sure that the issue want due 
>> to incorrect password? ;)
>>
>> alan
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
> --
>
> Hugh Irvine
> hugh at open.com.au
>
> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. 
> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
>
>

More information about the radiator mailing list