[RADIATOR] (RADIATOR) Patch to hide user password when using tacacs+ and trace 4, 5

Hugh Irvine hugh at open.com.au
Wed Jan 14 01:02:11 CST 2009


Hello Markus -

All I can suggest is your own custom code.

regards

Hugh


On 14 Jan 2009, at 10:57, Markus Moeller wrote:

> I still would like to see the password hidden during debug.  What  
> would convince you to include it ?
>
> Thank you
> Markus
>
> ----- Original Message ----- From: "Markus Moeller" <huaraz at moeller.plus.com 
> >
> To: "Bjoern A. Zeeb" <bz-lists at cksoft.de>
> Cc: <radiator at open.com.au>
> Sent: Monday, March 10, 2008 1:11 AM
> Subject: Re: (RADIATOR) Patch to hide user password when using tacacs 
> + and trace 4,5
>
>
>>
>>
>>
>>> On Sun, 9 Mar 2008, Markus Moeller wrote:
>>>
>>> Hi,
>>>
>>>> The User-Password attribute is encoded when Radius is used and  
>>>> the logging with trace 4 or 5 does not reveal the password.
>>>
>>> You mean the password is ot revealed because it is "mangled/ 
>>> obfucated"?
>>>
>>
>> Yes
>>
>>> You know the authenticator, you know the secret thus you know the
>>> plaintext password when looking at your tracelevel 4 logs.
>>>
>>
>> I also forward messages with syslog to a central syslog server for  
>> monitoring (although ususally not with trace 4,5 but can happen  
>> when debugging)
>>
>>> If you say, but if joe random on that machine sees the logs he  
>>> doesn't
>>> know the secret, then it's a matter of the ownership/permissions of
>>> your logfiles as it would be of your radius configuration.
>>>
>>
>> I may have logfiles readable for operators but not the clients file  
>> with the secrects
>>
>>> A tracelevel > 3 is there for aiding in debugging and it's pretty
>>> obvious that you can get a lot of information that way to find a
>>> problem.  That's how the system is designed to work.
>>>
>>
>> True, but for example the radius code has also a section commented  
>> to not log the cleartext password.
>>
>>>
>>> just my 2cts.
>>>
>>
>> Thank you
>> Markus
>>
>>> -- 
>>> Dipl. Ing. (BA) Bjoern A. Zeeb          Research & Development
>>> CK Software GmbH                        http://www.cksoft.de/
>>> Schwarzwaldstr. 31                      Phone: +49 7452 889 135
>>> D-71131 Jettingen                       Fax: +49 7452 889 136
>>> HRB245288, Amtsgericht Stuttgart        Geschaeftsfuehrer:  
>>> Christian Kratzer
>>>
>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.




More information about the radiator mailing list