pam_radius_auth: stop printing password

FreeRADIUS / pam_radius

This is the PAM to RADIUS authentication module. It allows any Linux, OSX or Solaris machine to become a RADIUS client for authentication and password change requests.

GNU General Public License v2.0

102 stars 90 forks source link

pam_radius_auth: stop printing password #65

Closed ikerexxe closed 2 years ago

ikerexxe commented 2 years ago

Printing plain text passwords should be avoided. Even if it's in a root owned file like /var/log/secure

jpereira commented 2 years ago

Maybe we should have extra option enabling or disabling the password print as we have in radiusd. what do you think @alandekok ? I mean, sometimes it should be helpful.

ikerexxe commented 2 years ago

Under which circumstances would it be helpful?

Even assuming that it could be useful, I consider it dangerous to save any kind of password in plain text in a file.

alandekok commented 2 years ago

Debugging things is useful.

That being said, the password can always be decoded on the RADIUS server, and viewed there.