[RADIATOR] (RADIATOR) Patch to hide user password when using tacacs+ and trace 4, 5

Markus Moeller huaraz at moeller.plus.com
Wed Jan 14 15:38:31 CST 2009 

Sorry to be persistent, but I don't understand your unwillingness to hide 
the password during trace. Let me try to explain again why I need it.

We want to use Radiator as main  Radius and Tacacs authentication server 
which forwards the requests to our central Active Directory for password 
verification.  The server will be maintained by an operations team of 
several people, who from time to time need to add devices and troubleshoot 
issues. They are not always skilled enough to know what  trace level to use 
(e.g. 3,4 or higher (usually highest is best for them)), so they would see 
during troubleshooting user passwords which possibly go into log files. Our 
internal audit would not accept such a solution. They are saying "You don't 
leave your cash openly on your desk in the office. You will put it in the 
drawer even if it is unlocked to avoid any temptation."  It is not against 
malicious users as we know there are always ways to get around for 
privileged users, but they have to actively break rules to get to passwords.

A custom solution is also not acceptable as any patch need to be verified 
against the changes etc....

Could you reconsider your answer ?

Thank you
Markus

----- Original Message ----- 
From: "Hugh Irvine" <hugh at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Cc: <radiator at open.com.au>
Sent: Wednesday, January 14, 2009 7:02 AM
Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when using 
tacacs+ and trace 4, 5


>
> Hello Markus -
>
> All I can suggest is your own custom code.
>
> regards
>
> Hugh
>
>
> On 14 Jan 2009, at 10:57, Markus Moeller wrote:
>
>> I still would like to see the password hidden during debug.  What  would 
>> convince you to include it ?
>>
>> Thank you
>> Markus
>>
>> ----- Original Message ----- From: "Markus Moeller" 
>> <huaraz at moeller.plus.com
>> >
>> To: "Bjoern A. Zeeb" <bz-lists at cksoft.de>
>> Cc: <radiator at open.com.au>
>> Sent: Monday, March 10, 2008 1:11 AM
>> Subject: Re: (RADIATOR) Patch to hide user password when using tacacs + 
>> and trace 4,5
>>
>>
>>>
>>>
>>>
>>>> On Sun, 9 Mar 2008, Markus Moeller wrote:
>>>>
>>>> Hi,
>>>>
>>>>> The User-Password attribute is encoded when Radius is used and  the 
>>>>> logging with trace 4 or 5 does not reveal the password.
>>>>
>>>> You mean the password is ot revealed because it is "mangled/ 
>>>> obfucated"?
>>>>
>>>
>>> Yes
>>>
>>>> You know the authenticator, you know the secret thus you know the
>>>> plaintext password when looking at your tracelevel 4 logs.
>>>>
>>>
>>> I also forward messages with syslog to a central syslog server for 
>>> monitoring (although ususally not with trace 4,5 but can happen  when 
>>> debugging)
>>>
>>>> If you say, but if joe random on that machine sees the logs he  doesn't
>>>> know the secret, then it's a matter of the ownership/permissions of
>>>> your logfiles as it would be of your radius configuration.
>>>>
>>>
>>> I may have logfiles readable for operators but not the clients file 
>>> with the secrects
>>>
>>>> A tracelevel > 3 is there for aiding in debugging and it's pretty
>>>> obvious that you can get a lot of information that way to find a
>>>> problem.  That's how the system is designed to work.
>>>>
>>>
>>> True, but for example the radius code has also a section commented  to 
>>> not log the cleartext password.
>>>
>>>>
>>>> just my 2cts.
>>>>
>>>
>>> Thank you
>>> Markus
>>>
>>>> -- 
>>>> Dipl. Ing. (BA) Bjoern A. Zeeb          Research & Development
>>>> CK Software GmbH                        http://www.cksoft.de/
>>>> Schwarzwaldstr. 31                      Phone: +49 7452 889 135
>>>> D-71131 Jettingen                       Fax: +49 7452 889 136
>>>> HRB245288, Amtsgericht Stuttgart        Geschaeftsfuehrer:  Christian 
>>>> Kratzer
>>>>
>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive 
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>

More information about the radiator mailing list