Warning Plain Text password on radius

alessandroG77 · May 7, 2018, 11:40am

Hi,
we have privacyidea 2.19 with freeradius.

We have the following important problem.

All passwd on radius log (reffered to ad login password) are in clear text.

This is very dangerous.

Tue May 1 04:20:03 2018 : rlm_perl: urlparam client = x.x.x.x
Tue May 1 04:20:03 2018 : rlm_perl: urlparam pass = E1dxxxxxxxx
Tue May 1 04:20:03 2018 : rlm_perl: urlparam user = name.surname

Its possible to hide this passwd??

We have tried in different ways but nothing.

Thanks for all support!

alessandroG77 · May 7, 2018, 12:25pm

This is our radius conf:

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct

name = radiusd

confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
db_dir = ${localstatedir}/lib/radiusd
libdir = /usr/lib64/freeradius
pidfile = ${run_dir}/${name}.pid
correct_escapes = true

max_request_time = 30
cleanup_delay = 5
max_requests = 16384
hostname_lookups = no
log {
destination = files
colourise = yes
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
msg_denied = “You are already logged in - access denied”
}
checkrad = ${sbindir}/checkrad

security {
user = radiusd
group = radiusd
allow_core_dumps = no
max_attributes = 200
reject_delay = 1
status_server = yes
}

proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10

    max_requests_per_server = 0
    auto_limit_acct = no

}
modules {
$INCLUDE mods-enabled/
}
instantiate {
}
policy {
$INCLUDE policy.d/
}
$INCLUDE sites-enabled/

cornelinux · May 7, 2018, 2:43pm

Dear Alessandro,

why not contribute something to the community you are using so excessively and try to provide a “patch” if you think that there is a problem.
I personally see no problem here, since the password only appears, under certain conditions.
And this is intentially…

Kind regards
Cornelius

fredreichbier · May 7, 2018, 2:56pm

To expand on Cornelius’ point: The URL parameters (and thus, the password) are only logged if the debug mode of the privacyIDEA plugin is explicitly enabled in the INI file. As they are only logged using FreeRADIUS Debug log level, they are only written to the logs if the FreeRADIUS server is configured to log debug messages. Both settings are definitely unfit for production scenarios.

alessandroG77 · May 8, 2018, 8:31am

Hi Fredreichbier,
your help has been greatly appreciated!

I’ ve setting debug mode to false in rlm_perl.ini e password now is hide.

Thanks a lot!

alessandroG77 · May 8, 2018, 8:45am

Sorry, mine did not want to be a polemical tone and in any case I could not issue a patch.
I just wanted to know if it was possible to hide the password from privacyidea logs.

Thanks anyway.

Kind Regards
AG