[RADIATOR] Hiding the LDAP Password attribute on Trace level 4 [SEC=UNCLASSIFIED]

Klara Mall klara.mall at kit.edu
Mon Oct 13 06:07:11 CDT 2014 

Hi,

I totally agree with Vangelis. It's exactly the same for us here
(usually with TTLS/PAP authentication). DEBUGWITHOUTPASSWORDS would
be great.

Regards
Klara

On Mon, Oct 13, 2014 at 10:24:20AM +0300, Vangelis Kyriakakis wrote:
> Hello all,
> 
>        This separation of DEBUG levels would be great. Usually many
> persons can view the DEBUG level logs but we don't want all these
> persons to be able to see the user passwords. If the problem is related
> to a bad password a couple of trusted personnel can see the password
> debugging logs. Moreover, when we send radius logs to a vendor we want
> to be sure that no password is leftover.
>        So, what Hugh suggests would be a very welcome addition.
> 
>               Regards
>                     Vangelis
> 
> On 13/10/2014 2:38 πμ, Keith Morrell wrote:
> > UNCLASSIFIED
> > Yes, ideal solution. 
> >
> > I agree DEBUG should show all...but having the passwords in clear text in the logs is generally undesirable.
> >
> > Thanks Hugh.
> >
> > -Keith
> >
> >
> > -----Original Message-----
> > From: Hugh Irvine [mailto:hugh at open.com.au]
> > Sent: Monday, 13 October 2014 10:35 AM
> > To: Keith Morrell
> > Cc: Alan Buxey; Vangelis Kyriakakis; Radiator
> > Subject: Re: [RADIATOR] Hiding the LDAP Password attribute on Trace level 4 [SEC=UNCLASSIFIED]
> >
> >
> > Hi all -
> >
> > We discussed this at length many times over the years and our decision was always that "DEBUG" meant show everything that is going on, otherwise debugging is very hard.
> >
> > I suppose we could consider two levels: "DEBUG" as it is now, and "DEBUGWITHOUTPASSWORDS" with passwords obscured.
> >
> > Thoughts?
> >
> > regards
> >
> > Hugh
> >
> >
> > On 13 Oct 2014, at 08:57, Keith Morrell <KeithMorrell at nbnco.com.au> wrote:
> >
> >> UNCLASSIFIED
> >>
> >> We use debug level 4 on all our subprocesses (we use radiator proxies for front ends) to gather detailed data about what's going on - it's just the way we like it.
> >>  
> >> Personally, I think showing any passwords in clear text in logs is 
> >> generally not a good idea...
> >>  
> >> -Keith
> >>  
> >>  
> >> From: Alan Buxey [mailto:A.L.M.Buxey at lboro.ac.uk]
> >> Sent: Monday, 13 October 2014 8:49 AM
> >> To: Keith Morrell; Vangelis Kyriakakis; Radiator
> >> Subject: Re: [RADIATOR] Hiding the LDAP Password attribute on Trace 
> >> level 4 [SEC=UNCLASSIFIED]
> >>  
> >> Why would you be running in this mode? Surely only debug level that 
> >> high for debugging? And how could you be sure that the issue want due 
> >> to incorrect password? ;)
> >>
> >> alan
> >> _______________________________________________
> >> radiator mailing list
> >> radiator at open.com.au
> >> http://www.open.com.au/mailman/listinfo/radiator
> >
> > --
> >
> > Hugh Irvine
> > hugh at open.com.au
> >
> > Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. 
> > Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
> >
> >
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

More information about the radiator mailing list