[RADIATOR] Hiding the LDAP Password attribute on Trace level 4 [SEC=UNCLASSIFIED]

Heikki Vatiainen hvn at open.com.au
Mon Oct 13 03:07:22 CDT 2014


On 10/13/2014 10:24 AM, Vangelis Kyriakakis wrote:

>        This separation of DEBUG levels would be great. Usually many
> persons can view the DEBUG level logs but we don't want all these
> persons to be able to see the user passwords.

I'd say the PasswordLogFileName parameter in Handler already solves the
requirements with password debugging related problems. It can log the
password supplied by the user and the password retrieved from the
backend, such as LDAP, SQL, etc.

Besides seeing that the passwords match, it can also help figuring out
problems with shared secrets and their calculation (supplied password
looks garbled), and it does not require any specific log level. It's
possible to turn it on without having to deal with high volume of debug
messages.

> If the problem is related
> to a bad password a couple of trusted personnel can see the password
> debugging logs. Moreover, when we send radius logs to a vendor we want
> to be sure that no password is leftover.

I think there are also cases where a security audit requirements do not
allow passwords in debug log files.

When considering PasswordLogFileName, it separates the debug logs from
the specific password log. With a special log level the passwords would
still go to the debug log making it possible that incorrect logs, the
ones with passwords, are sent to long time storage, logged over syslog
or sent to a vendor. Also, it makes it easier to run with incorrect log
level (with passwords shown) when password logging depends on the
specific log level.

If I remember correctly, the password log currently does not log, for
example, passwords in proxied messages, but if there are cases that it
does not cover, we'd like to hear about them.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list