[RADIATOR] Password logging not working..

Wed Mar 1 06:40:02 UTC 2023

Hi there again,

I have a handler that I am trying to log passwords from, primarily to 
debug why our LDAP servers keep getting locked out with

DEBUG: Radius::AuthGROUP: ldap-01 result: IGNORE, User database access error

errors, which I suspect is due to a bad password (we bind as the user) 
resulting in any bad entry killing auth for the LDAP timeout seconds :-)

I had a handler defined as follows

<Handler User-Name=/^[abc]\d*/>
         # Set username to lowercase and strip the realm
         RewriteUsername         tr/A-Z/a-z/
         RewriteUsername         s/^([^@]+).*/$1/
         AuthByPolicy            ContinueWhileAccept
         PasswordLogFileName     %L/%Y%m%d_robotpass.log

         <AuthBy GROUP>
                 AuthByPolicy            ContinueWhileIgnore
                 AuthBy                  ldap-01
                 AuthBy                  ldap-02
                 <AuthBy INTERNAL>
                         AuthResult      REJECT
                         AcctStartResult ACCEPT
                         AcctStopResult  ACCEPT
                         DefaultResult   REJECT
                 </AuthBy>
         </AuthBy>
         <AcctLog FILE>
                 Filename                %L/%Y%m%d_accounting.log
                 OutputFormat            json
         </AcctLog>
</Handler>

But this didnt work, so I decided to try to do this myself

I defined a FILE log entry as follows

<Log FILE>
     Identifier PASSWORDLOG
     Filename %L/%Y%m%d_password.log
</Log>

And then attempted to write a PreAuth hook that would decode the 
password and write the username/password to a file, with a bonus filter 
so I can narrow down on accounts I want to monitor using a regexp.

I added the following line to the handler

PreAuthHook             file:"%D/hooks/PreAuthHook-PasswordDebug.pl"

And the PreAuthHook-PasswordDebug.pl

# PreAuthHook-PasswordDebug.pl
#
# PreAuthHook to write out a specific user password based on a
# regexp match
#

sub
{
     my $p = ${$_[0]};

     my $user = $p->getUserName;
     my $pass = $p->decodedPassword();

     # User the password log
     my $logger = &Radius::Configurable::find('Log', 'PASSWORDLOG');

     if ($logger) {
        # Only print passwords for usernames that match
        if ($user =~ /^a12345.*/)
        {
            $logger->log($main::LOG_INFO, "user:$user, pass:$pass");
            &main::log($main::LOG_DEBUG, "PasswordDebug: Writing to file 
PASSWORDLOG");
            #&main::log($main::LOG_DEBUG, "PasswordDebug: user=>'$user', 
pass=>'$pass'");
        }
     } else {
        &main::log($main::LOG_DEBUG, "PasswordDebug: PASSWORDLOG not 
found");
     }
     return;
}

When uncommented the &main::log(main::LOG_DEBUG, "PasswordDebug: 
user=>'$user', pass=>'$pass'"); writes the password info to the main 
radiator log, but I'm trying to put this into a specific logfile I can 
exclude from ingesting into our site wide logging system (hence making 
passwords that are under debug available to everyone - eek)

So I guess my questions are twofold;

a) Why is the PasswordLogFile line not working?
b) How can I get the PreAuthHook to write the passwords to the 
PASSWORDLOG identifier/log entry?

Thanks in advance!

-- 
Steve.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4484 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20230301/947a879e/attachment.p7s>