Debugging output is always a security exposure. Secure debugging
wouldn't be all that helpful to the debugging process especially as
seeing the plain text password may be the difference between solving a
problem or not.
Perhaps 'redacted' debugging output is what you're after (for posting to
the mailing list). Perhaps you could add a radiusd flag for that and
change the debugging output accordingly.
Garber, Neal wrote:
I understand that it is sometimes useful to display the plain-text
password in the debug output; however, I consider this a security
exposure. Iād like to see a configuration option (e.g.,
debug_show_passwords or something similar) with a default of no, that
when set to false/no would write ā********ā instead of a plain-text
password in debug output. Currently, modules rlm_ldap, rlm_pap, and
perhaps others write the plain-text password in debug output.
Your thoughts?
Neal
------------------------------------------------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
