Hi there again,I have a handler that I am trying to log passwords from, primarily to debug why our LDAP servers keep getting locked out with
DEBUG: Radius::AuthGROUP: ldap-01 result: IGNORE, User database access errorerrors, which I suspect is due to a bad password (we bind as the user) resulting in any bad entry killing auth for the LDAP timeout seconds :-)
I had a handler defined as follows <Handler User-Name=/^[abc]\d*/> # Set username to lowercase and strip the realm RewriteUsername tr/A-Z/a-z/ RewriteUsername s/^([^@]+).*/$1/ AuthByPolicy ContinueWhileAccept PasswordLogFileName %L/%Y%m%d_robotpass.log <AuthBy GROUP> AuthByPolicy ContinueWhileIgnore AuthBy ldap-01 AuthBy ldap-02 <AuthBy INTERNAL> AuthResult REJECT AcctStartResult ACCEPT AcctStopResult ACCEPT DefaultResult REJECT </AuthBy> </AuthBy> <AcctLog FILE> Filename %L/%Y%m%d_accounting.log OutputFormat json </AcctLog> </Handler> But this didnt work, so I decided to try to do this myself I defined a FILE log entry as follows <Log FILE> Identifier PASSWORDLOG Filename %L/%Y%m%d_password.log </Log>And then attempted to write a PreAuth hook that would decode the password and write the username/password to a file, with a bonus filter so I can narrow down on accounts I want to monitor using a regexp.
I added the following line to the handler
PreAuthHook file:"%D/hooks/PreAuthHook-PasswordDebug.pl"
And the PreAuthHook-PasswordDebug.pl
# PreAuthHook-PasswordDebug.pl
#
# PreAuthHook to write out a specific user password based on a
# regexp match
#
sub
{
my $p = ${$_[0]};
my $user = $p->getUserName;
my $pass = $p->decodedPassword();
# User the password log
my $logger = &Radius::Configurable::find('Log', 'PASSWORDLOG');
if ($logger) {
# Only print passwords for usernames that match
if ($user =~ /^a12345.*/)
{
$logger->log($main::LOG_INFO, "user:$user, pass:$pass");
&main::log($main::LOG_DEBUG, "PasswordDebug: Writing to file
PASSWORDLOG");
#&main::log($main::LOG_DEBUG, "PasswordDebug: user=>'$user',
pass=>'$pass'");
}
} else {
&main::log($main::LOG_DEBUG, "PasswordDebug: PASSWORDLOG not
found");
} return; }When uncommented the &main::log(main::LOG_DEBUG, "PasswordDebug: user=>'$user', pass=>'$pass'"); writes the password info to the main radiator log, but I'm trying to put this into a specific logfile I can exclude from ingesting into our site wide logging system (hence making passwords that are under debug available to everyone - eek)
So I guess my questions are twofold; a) Why is the PasswordLogFile line not working?b) How can I get the PreAuthHook to write the passwords to the PASSWORDLOG identifier/log entry?
Thanks in advance! -- Steve.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
