(RADIATOR) Patch to hide user password when using tacacs+ and trace 4,5
Markus Moeller
huaraz at moeller.plus.com
Sun Mar 9 19:11:10 CST 2008
> On Sun, 9 Mar 2008, Markus Moeller wrote:
>
> Hi,
>
>> The User-Password attribute is encoded when Radius is used and the
>> logging with trace 4 or 5 does not reveal the password.
>
> You mean the password is ot revealed because it is "mangled/obfucated"?
>
Yes
> You know the authenticator, you know the secret thus you know the
> plaintext password when looking at your tracelevel 4 logs.
>
I also forward messages with syslog to a central syslog server for
monitoring (although ususally not with trace 4,5 but can happen when
debugging)
> If you say, but if joe random on that machine sees the logs he doesn't
> know the secret, then it's a matter of the ownership/permissions of
> your logfiles as it would be of your radius configuration.
>
I may have logfiles readable for operators but not the clients file with the
secrects
> A tracelevel > 3 is there for aiding in debugging and it's pretty
> obvious that you can get a lot of information that way to find a
> problem. That's how the system is designed to work.
>
True, but for example the radius code has also a section commented to not
log the cleartext password.
>
> just my 2cts.
>
Thank you
Markus
> --
> Dipl. Ing. (BA) Bjoern A. Zeeb Research & Development
> CK Software GmbH http://www.cksoft.de/
> Schwarzwaldstr. 31 Phone: +49 7452 889 135
> D-71131 Jettingen Fax: +49 7452 889 136
> HRB245288, Amtsgericht Stuttgart Geschaeftsfuehrer: Christian
> Kratzer
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list