On 10/13/2014 10:24 AM, Vangelis Kyriakakis wrote: > This separation of DEBUG levels would be great. Usually many > persons can view the DEBUG level logs but we don't want all these > persons to be able to see the user passwords.
I'd say the PasswordLogFileName parameter in Handler already solves the requirements with password debugging related problems. It can log the password supplied by the user and the password retrieved from the backend, such as LDAP, SQL, etc. Besides seeing that the passwords match, it can also help figuring out problems with shared secrets and their calculation (supplied password looks garbled), and it does not require any specific log level. It's possible to turn it on without having to deal with high volume of debug messages. > If the problem is related > to a bad password a couple of trusted personnel can see the password > debugging logs. Moreover, when we send radius logs to a vendor we want > to be sure that no password is leftover. I think there are also cases where a security audit requirements do not allow passwords in debug log files. When considering PasswordLogFileName, it separates the debug logs from the specific password log. With a special log level the passwords would still go to the debug log making it possible that incorrect logs, the ones with passwords, are sent to long time storage, logged over syslog or sent to a vendor. Also, it makes it easier to run with incorrect log level (with passwords shown) when password logging depends on the specific log level. If I remember correctly, the password log currently does not log, for example, passwords in proxied messages, but if there are cases that it does not cover, we'd like to hear about them. Thanks, Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
