(RADIATOR) Patch to hide user password when using tacacs+ and trace 4,5

Markus Moeller huaraz at moeller.plus.com
Sun Mar 9 06:57:12 CST 2008 

The User-Password attribute is encoded when Radius is used and the logging with trace 4 or 5 does not reveal the password. But when Tacacs is used the password is in clear when creating the fake radius request. If  I understand the code right the User-Password attribute is not really used, only the DecodedPassword (please correct if that is wrong I couldn't check all cases), so the below path sets the User-Password to XXX when tacacs is used.

Also when logging Tacacs+ requests and replies the password is logged. The below patch should avoid that too.

Regards
Markus



--- ServerTACACSPLUS.pm Sun Mar  9 12:46:08 2008
+++ ServerTACACSPLUS.pm.new     Sun Mar  9 12:46:01 2008
@@ -475,7 +475,8 @@
     {
        # PAP login
        $tp->add_attr('User-Name', $user);
-       $tp->add_attr('User-Password', $data);
+#      $tp->add_attr('User-Password', $data);
+       $tp->add_attr('User-Password', 'XXX');
        $tp->{DecodedPassword} = $data;
     }
     elsif ($action == $Radius::Tacacsplus::TAC_PLUS_AUTHEN_LOGIN
@@ -615,8 +616,14 @@
     my $user_msg  = substr($fields, $i, $user_msg_len); $i += $user_msg_len;
     my $data      = substr($fields, $i, $data_len);     $i += $data_len;
     
-    $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection Authentication CONTINUE $flags, $user_msg, $data");
-
+    if ($self->{last_status} == $Radius::Tacacsplus::TAC_PLUS_AUTHEN_STATUS_GETPASS)
+    {
+        $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection Authentication CONTINUE $flags, XXX, $data");
+    }
+    else
+    {
+        $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection Authentication CONTINUE $flags, $user_msg, $data");
+    }
     if ($flags & $Radius::Tacacsplus::TAC_PLUS_CONTINUE_FLAG_ABORT)
     {
        $self->{parent}->log($main::LOG_WARN, "TacacsplusConnection Authentication CONTINUE aborted: $data");
@@ -644,7 +651,8 @@
        # our replyFn will be called
        my $tp = $self->create_radius_request('Access-Request');
        $tp->add_attr('User-Name', $self->{user});
-       $tp->add_attr('User-Password', $self->{password});
+#      $tp->add_attr('User-Password', $self->{password});
+       $tp->add_attr('User-Password', 'XXX');
        $tp->{DecodedPassword} = $self->{password};
 
        # Recover the context and any radius State from a previous Access-Challenge
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080309/ceb4df54/attachment.html>

More information about the radiator mailing list