Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 12:08 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Sat Aug 17, 2013 12:33 am 
Offline

Joined: Sat Aug 17, 2013 12:12 am
Posts: 2
I just found that if logging is enabled on YubiRADIUS, Active Directory passwords are written to the log file. This is a extremely serious security oversight. Passwords should NEVER be written in clear-text anywhere. We were not planning to have logging on under production use, but even the possibility that passwords could leak into logs makes the use of YubiRADIUS a non-starter for us.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Aug 20, 2013 11:05 am 
Offline
Yubico Team
Yubico Team

Joined: Mon Feb 22, 2010 9:49 am
Posts: 183
Hello,

Can you please confirm the version of the YubiRADIUS you are using? This issue was addressed in the recent version YubiRADIUS 3.6.1.

Thanks and best regards,
Samir.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 20, 2013 7:34 pm 
Offline

Joined: Sat Aug 17, 2013 12:12 am
Posts: 2
We are using version 3.6.1. The passwords are logged in /var/log/freeradius/radius.log when I enable logging in the Global Configuration >> FreeRADIUS page.


Top
 Profile  
Reply with quote  
PostPosted: Tue Nov 26, 2013 5:25 pm 
Offline

Joined: Tue Nov 26, 2013 5:19 pm
Posts: 4
Hi,

we have the same problem. The radius.log is looking like this, with Active Directory Auth
my Passwort for XXXXXXXXXXXXX ;-)

Quote:
Thread 3 got semaphore
Thread 3 handling request 0, (1 handled so far)
[<thread>] # Executing section authorize from file /etc/freeradius/sites-enabled/default
[<thread>] +- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "i001000", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
rlm_perl: Added pair User-Name = i001000
rlm_perl: Added pair User-Password = XXXXXXXXXXXccccccdcbgjjvevrkgvlnlkcrntblltlicgvcgcelkdj
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
++[perl] returns ok
[files] users: Matched entry DEFAULT at line 147
++[files] returns ok
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
Waking up in 1.4 seconds.
Waking up in 2.2 seconds.
Waking up in 3.3 seconds.
Discarding duplicate request from client 1_127.0.0.1 port 48663 - ID: 62 due to unfinished request 0
Waking up in 3.1 seconds.
rlm_perl: Added pair User-Name = i001000
rlm_perl: Added pair User-Password = XXXXXXXXXXXX
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair Class =
rlm_perl: Added pair Auth-Type = PAP
++[perl] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Finished request 0.
Going to the next request
Thread 3 waiting to be assigned a request
Waking up in 2.6 seconds.
Cleaning up request 0 ID 62 with timestamp +16
Ready to process requests.


So is there a way to stop freeradius to write down the userpasswords without deaktivation logging. (at least on trouble shooting i will need a log, but never want or need to know any user passwords)
Also in the Troubleshoot Menu i can see the password.

Thanks for you help
Tobias


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group