[tac_plus] Full AAA logging / supported configuration
heasley
heas at shrubbery.net
Wed Sep 14 23:46:28 UTC 2016
Tue, Sep 13, 2016 at 06:22:10AM -0700, Sean:
> So the logging occurs once it’s been decrypted. Is there a way to always ensure sensitive data that can be logged during debug, such as the password of the end-user, is encrypted? Or at least omitted?
dont use the debugging option? :) Really, a better solution is probably to
add an option that logs authentication success/failure, rather than enabling
debugging or altering the debugging to operate differently.
I have about 4 patches from various people that I need to review. i'll look
at such an option along with those...which honestly have been on my todo
list for much too long.
> I don’t like the idea that someone else with sudo / root can sniff someone else’s passwords in clear text. ☹
>
> On 9/12/16, 4:41 PM, "heasley" <heas at shrubbery.net> wrote:
>
> Mon, Sep 12, 2016 at 03:03:49PM -0700, Sean:
> > Then I misspoke. I thought the key was used for authentication; I didn’t realize it was also being used to encrypt the packets.
> >
> > I’ve got a key configured and in use, but the password(s) were still being logged via `-d 256` in cleartext in /var/log/tac_plus.log when it was running with that level of debugging enabled.
>
> only data on the wire in encrupted
>
>
>
More information about the tac_plus
mailing list