RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Description of problem:

If you configure freeradius to log auth results (with log { auth = yes } configuration directive) when using the PAP module, you will see messages containing the incorrect cleartext passwords in the log file like this:

Auth: (185) Login incorrect (pap: Cleartext password "password" does not match "known good" password): [user] (from client name port 1)

Nothing incorrect is logged for a successful login:

Auth: (240) Login OK: [user] (from client name port 1)

This has minor security implications.

Version-Release number of selected component (if applicable):

3.0.13-9.el7_5

How reproducible:

100%

Steps to Reproduce:
1. Set auth = yes in /etc/raddb/radiusd.conf under the log { } section with  auth_badpass = no and auth_goodpass = no.
2. Attempt an auth against the server using a bad password.
3. Review log file.

Actual results:

The bad password is written into the log file.

Expected results:

Password input should never be logged.

Additional info:

This was patched upstream some time ago and released in version 3.0.16

https://github.com/FreeRADIUS/freeradius-server/issues/2064

https://github.com/FreeRADIUS/freeradius-server/commit/cf9c07ac581ea958ae29d584fa860c2ee9e7d0dd#diff-7e8561db5fb77ed1d77fedc323ebb6c3

Kevin,

This fix is present as part of the RHEL 8 GA release of FreeRADIUS (v3.0.17). IMO, as this requires a configuration change to log cleartext passwords, the effort involved to backport this to RHEL 7.x isn't worth it unless we have another case to warrant another release in 7.x. I'll leave this bug open though as a reminder for when we do another RHEL 7 release of FreeRADIUS.  


- Alex

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: freeradius security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:3984