On 21.02.2013 10:15, Danny Kurniawan wrote: > In Radius 1.x - SLES 10 when i run radiusd -X ; i don't see the user > password (which is good). but in Radius 2.1.1 i can see it clearly ... > how can i eliminate this cleartext password being showed there? I'm new > to this authentication method or eap_mschap protocol, so please bear > with me :) > > /[peap] Got tunnled request > EAP-Message = 0x020a00061a03 > server (null) { > PEAP: Setting User-Name to sdholakia2 > Sending tunneled request > EAP-Message = 0x020a00061a03 > FreeRADIUS-Proxied-To = 127.0.0.1 > User-Name = "sdholakia2" > State = 0xf32f92c4f22588e5c2ccbfc052ff2f65 > server inner-tunnel { > +- entering group authorize {...} > ++[chap] returns noop > ++[control] returns noop > ++[mschap] returns noop > ++[unix] returns notfound > ++[control] returns notfound > [eap] EAP packet type response id 10 length 6 > [eap] No EAP Start, assuming it's an on-going EAP conversation > ++[eap] returns updated > ++[files] returns noop > [ldap] performing user authorization for sdholakia2 > [ldap] expand: (uid=%u) -> (uid=sdholakia2) > [ldap] expand: ou=Active,ou=Users,o=FSID -> ou=Active,ou=Users,o=FSID > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in ou=Active,ou=Users,o=FSID, with filter > (uid=sdhoakia2) > [ldap] Added the eDirectory password Test in check items as > Cleartext-Passwrd > [ldap] looking for check items in directory.../
That's how it has been hard-coded in FR2.X and FR3. It is indeed arguable. For debugging eDirectory integration, it's quite nice. But you really have to restrict access to the freeradius server, so no one can start it with -X or run radmin debug. We could by default not output the password, and if you really need to see it, just echo control:Cleartext-Password after ldap.authorize Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html