Re: [BUG] Yubiradius 3.6.0 logs all passwords in plaintext

2013-02-07T15:13:31+01:00

Hello again,

This will be fixed in version 3.6.1 which will be released soon.

Thank you for your post.

Statistics: Posted by Tom — Thu Feb 07, 2013 3:13 pm

[BUG] Yubiradius 3.6.0 logs all passwords in plaintext

2013-02-06T20:16:03+01:00

The current release of YubiRadius logs all requests to /var/log/syslog and /var/log/debug
The log entries appear as follows
syslog:Feb 5 19:37:28 yubiradius3 ykropval[2955]: LOG_DEBUG:ykropval-verify:[127.0.0.1] Request: user=rdavis&password=DOGBREATH&otp=vvxxxxxxdieflrccltlhxxxxjdrfbxxxxgcnnljbdvrl

In order to change this edit /usr/share/ykropval/ykropval-verify.php
Line 19 reads
$myLog->log(LOG_DEBUG, "Request: " . $_SERVER['QUERY_STRING']);
Either comment out the line, or remove . $_SERVER['QUERY_STRING']

Statistics: Posted by ronsdavis — Wed Feb 06, 2013 8:16 pm

Yubico Forum

Re: [BUG] Yubiradius 3.6.0 logs all passwords in plaintext

[BUG] Yubiradius 3.6.0 logs all passwords in plaintext