Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Freeradius v3.0.15 logs password on PAP failure even with auth_badpass = no #2064
See here for debugging instructions and how to obtain backtraces.
NOTE: PATCHES GO IN PULL REQUESTS. IF YOU SUBMIT A DIFF HERE, THE DEVELOPMENT TEAM WILL HUNT YOU DOWN AND BEAT YOU OVER THE HEAD WITH YOUR OWN KEYBOARD.
When the PAP module rejects a user for not matching a cleartext password, it generates an error message that contains the bad password. This error string gets used in the authlog, causing the authlog to contain a cleartext user password even if the auth_badpass config variable is set to no.
This behavior was added in 70fd787
How to reproduce issue
Enable authlog and pap, add a user with a cleartext password to the server, send a PAP request with the wrong password at it.