Hi, I totally agree with Vangelis. It's exactly the same for us here (usually with TTLS/PAP authentication). DEBUGWITHOUTPASSWORDS would be great.
Regards Klara On Mon, Oct 13, 2014 at 10:24:20AM +0300, Vangelis Kyriakakis wrote: > Hello all, > > This separation of DEBUG levels would be great. Usually many > persons can view the DEBUG level logs but we don't want all these > persons to be able to see the user passwords. If the problem is related > to a bad password a couple of trusted personnel can see the password > debugging logs. Moreover, when we send radius logs to a vendor we want > to be sure that no password is leftover. > So, what Hugh suggests would be a very welcome addition. > > Regards > Vangelis > > On 13/10/2014 2:38 πμ, Keith Morrell wrote: > > UNCLASSIFIED > > Yes, ideal solution. > > > > I agree DEBUG should show all...but having the passwords in clear text in > > the logs is generally undesirable. > > > > Thanks Hugh. > > > > -Keith > > > > > > -----Original Message----- > > From: Hugh Irvine [mailto:[email protected]] > > Sent: Monday, 13 October 2014 10:35 AM > > To: Keith Morrell > > Cc: Alan Buxey; Vangelis Kyriakakis; Radiator > > Subject: Re: [RADIATOR] Hiding the LDAP Password attribute on Trace level 4 > > [SEC=UNCLASSIFIED] > > > > > > Hi all - > > > > We discussed this at length many times over the years and our decision was > > always that "DEBUG" meant show everything that is going on, otherwise > > debugging is very hard. > > > > I suppose we could consider two levels: "DEBUG" as it is now, and > > "DEBUGWITHOUTPASSWORDS" with passwords obscured. > > > > Thoughts? > > > > regards > > > > Hugh > > > > > > On 13 Oct 2014, at 08:57, Keith Morrell <[email protected]> wrote: > > > >> UNCLASSIFIED > >> > >> We use debug level 4 on all our subprocesses (we use radiator proxies for > >> front ends) to gather detailed data about what's going on - it's just the > >> way we like it. > >> > >> Personally, I think showing any passwords in clear text in logs is > >> generally not a good idea... > >> > >> -Keith > >> > >> > >> From: Alan Buxey [mailto:[email protected]] > >> Sent: Monday, 13 October 2014 8:49 AM > >> To: Keith Morrell; Vangelis Kyriakakis; Radiator > >> Subject: Re: [RADIATOR] Hiding the LDAP Password attribute on Trace > >> level 4 [SEC=UNCLASSIFIED] > >> > >> Why would you be running in this mode? Surely only debug level that > >> high for debugging? And how could you be sure that the issue want due > >> to incorrect password? ;) > >> > >> alan > >> _______________________________________________ > >> radiator mailing list > >> [email protected] > >> http://www.open.com.au/mailman/listinfo/radiator > > > > -- > > > > Hugh Irvine > > [email protected] > > > > Radiator: the most portable, flexible and configurable RADIUS server > > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, > > SIM, etc. > > Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. > > > > > > > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
