Yubico Forum https://forum.yubico.com/ |
|
Active Directory password written in RADIUS logs https://forum.yubico.com/viewtopic.php?f=29&t=1135 |
Page 1 of 1 |
Author: | tiritas [ Sat Aug 17, 2013 12:33 am ] |
Post subject: | Active Directory password written in RADIUS logs |
I just found that if logging is enabled on YubiRADIUS, Active Directory passwords are written to the log file. This is a extremely serious security oversight. Passwords should NEVER be written in clear-text anywhere. We were not planning to have logging on under production use, but even the possibility that passwords could leak into logs makes the use of YubiRADIUS a non-starter for us. |
Author: | samir [ Tue Aug 20, 2013 11:05 am ] |
Post subject: | Re: Active Directory password written in RADIUS logs |
Hello, Can you please confirm the version of the YubiRADIUS you are using? This issue was addressed in the recent version YubiRADIUS 3.6.1. Thanks and best regards, Samir. |
Author: | tiritas [ Tue Aug 20, 2013 7:34 pm ] |
Post subject: | Re: Active Directory password written in RADIUS logs |
We are using version 3.6.1. The passwords are logged in /var/log/freeradius/radius.log when I enable logging in the Global Configuration >> FreeRADIUS page. |
Author: | Tobias [ Tue Nov 26, 2013 5:25 pm ] |
Post subject: | Re: Active Directory password written in RADIUS logs |
Hi, we have the same problem. The radius.log is looking like this, with Active Directory Auth my Passwort for XXXXXXXXXXXXX Quote: Thread 3 got semaphore Thread 3 handling request 0, (1 handled so far) [<thread>] # Executing section authorize from file /etc/freeradius/sites-enabled/default [<thread>] +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "i001000", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop rlm_perl: Added pair User-Name = i001000 rlm_perl: Added pair User-Password = XXXXXXXXXXXccccccdcbgjjvevrkgvlnlkcrntblltlicgvcgcelkdj rlm_perl: Added pair NAS-Port = 0 rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 ++[perl] returns ok [files] users: Matched entry DEFAULT at line 147 ++[files] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} Waking up in 1.4 seconds. Waking up in 2.2 seconds. Waking up in 3.3 seconds. Discarding duplicate request from client 1_127.0.0.1 port 48663 - ID: 62 due to unfinished request 0 Waking up in 3.1 seconds. rlm_perl: Added pair User-Name = i001000 rlm_perl: Added pair User-Password = XXXXXXXXXXXX rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair NAS-Port = 0 rlm_perl: Added pair Class = rlm_perl: Added pair Auth-Type = PAP ++[perl] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Finished request 0. Going to the next request Thread 3 waiting to be assigned a request Waking up in 2.6 seconds. Cleaning up request 0 ID 62 with timestamp +16 Ready to process requests. So is there a way to stop freeradius to write down the userpasswords without deaktivation logging. (at least on trouble shooting i will need a log, but never want or need to know any user passwords) Also in the Troubleshoot Menu i can see the password. Thanks for you help Tobias |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |