Yubico Forum
https://forum.yubico.com/

Active Directory password written in RADIUS logs
https://forum.yubico.com/viewtopic.php?f=29&t=1135
Page 1 of 1

Author:  tiritas [ Sat Aug 17, 2013 12:33 am ]
Post subject:  Active Directory password written in RADIUS logs

I just found that if logging is enabled on YubiRADIUS, Active Directory passwords are written to the log file. This is a extremely serious security oversight. Passwords should NEVER be written in clear-text anywhere. We were not planning to have logging on under production use, but even the possibility that passwords could leak into logs makes the use of YubiRADIUS a non-starter for us.

Author:  samir [ Tue Aug 20, 2013 11:05 am ]
Post subject:  Re: Active Directory password written in RADIUS logs

Hello,

Can you please confirm the version of the YubiRADIUS you are using? This issue was addressed in the recent version YubiRADIUS 3.6.1.

Thanks and best regards,
Samir.

Author:  tiritas [ Tue Aug 20, 2013 7:34 pm ]
Post subject:  Re: Active Directory password written in RADIUS logs

We are using version 3.6.1. The passwords are logged in /var/log/freeradius/radius.log when I enable logging in the Global Configuration >> FreeRADIUS page.

Author:  Tobias [ Tue Nov 26, 2013 5:25 pm ]
Post subject:  Re: Active Directory password written in RADIUS logs

Hi,

we have the same problem. The radius.log is looking like this, with Active Directory Auth
my Passwort for XXXXXXXXXXXXX ;-)

Quote:
Thread 3 got semaphore
Thread 3 handling request 0, (1 handled so far)
[<thread>] # Executing section authorize from file /etc/freeradius/sites-enabled/default
[<thread>] +- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "i001000", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
rlm_perl: Added pair User-Name = i001000
rlm_perl: Added pair User-Password = XXXXXXXXXXXccccccdcbgjjvevrkgvlnlkcrntblltlicgvcgcelkdj
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
++[perl] returns ok
[files] users: Matched entry DEFAULT at line 147
++[files] returns ok
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
Waking up in 1.4 seconds.
Waking up in 2.2 seconds.
Waking up in 3.3 seconds.
Discarding duplicate request from client 1_127.0.0.1 port 48663 - ID: 62 due to unfinished request 0
Waking up in 3.1 seconds.
rlm_perl: Added pair User-Name = i001000
rlm_perl: Added pair User-Password = XXXXXXXXXXXX
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair Class =
rlm_perl: Added pair Auth-Type = PAP
++[perl] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Finished request 0.
Going to the next request
Thread 3 waiting to be assigned a request
Waking up in 2.6 seconds.
Cleaning up request 0 ID 62 with timestamp +16
Ready to process requests.


So is there a way to stop freeradius to write down the userpasswords without deaktivation logging. (at least on trouble shooting i will need a log, but never want or need to know any user passwords)
Also in the Troubleshoot Menu i can see the password.

Thanks for you help
Tobias

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/