[RADIATOR] (RADIATOR) Patch to hide user password when using tacacs+ and trace 4, 5

Michael Harlow Michael.Harlow at utas.edu.au
Wed Jan 14 22:27:48 CST 2009


Hugh, Log at level 5 for a TTLS/PAP method. Same happens at level 4.

------------------------------------------------

Code:       Access-Request
Identifier: 109
Authentic:  (l)v<27><197><223><15><21><148>-<2>A9<181>Y
Attributes:
	User-Name = "anonymous"
	Calling-Station-Id = "00-1B-77-D8-DC-28"
	Called-Station-Id = "00-17-0F-E4-3A-60:UANA"
	NAS-Port = 29
	NAS-IP-Address = 172.31.3.2
	NAS-Identifier = "WismB1"
	Airespace-WLAN-Id = 3
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-IEEE-802-11
	Tunnel-Type = 0:VLAN
	Tunnel-Medium-Type = 0:802
	Tunnel-Private-Group-ID = 2002
	EAP-Message = <2><6><0>G<21><128><0><0><0>=<23><3><1><0>8<220>[<19><211><162>D<19><221>x<215>xu><128>Q%<230>t<195><206>a at e7<187><231><193>t<207><163><218><166><12>hD<13>#<222><255><227><159>L<31><178><31><<149><254><29>b<16>lG<158><160>+
	Message-Authenticator = ^<141><145>=<14>Z<180><171><27><137>=N<129><237><213><143>

Mon Jan 12 13:59:07 2009: DEBUG: Handling request with Handler 'Called-Station-Id=/:UANA$/'
Mon Jan 12 13:59:07 2009: DEBUG: RewriteFunction rewrote user name to anonymous
Mon Jan 12 13:59:07 2009: DEBUG: Wireless-Session-DB Deleting session for anonymous, 172.31.3.2, 29
Mon Jan 12 13:59:07 2009: DEBUG: do query is: 'delete from DOT1XONLINE where STATIONID='00-1B-77-D8-DC-28';': 
Mon Jan 12 13:59:07 2009: DEBUG: Handling with Radius::AuthLDAP2: 
Mon Jan 12 13:59:07 2009: DEBUG: Handling with EAP: code 2, 6, 71, 21
Mon Jan 12 13:59:07 2009: DEBUG: Response type 21
Mon Jan 12 13:59:07 2009: DEBUG: EAP TTLS data, 3, 6, 5
Mon Jan 12 13:59:07 2009: DEBUG: TTLS Tunnelled Diameter Packet dump:
Code:       UNDEF
Identifier: UNDEF
Authentic:  UNDEF
Attributes:
	User-Name = "yyyy"
	User-Password = XXXXXXX

################################

I have changed the users plain text password to XXXXXXX and the user name changed too. This is TTLS/PAP with SecureW2. When it is my login, I do see exactly what I type on the keyboard appearing in the log.

I too would love to see the user password replaced with "password hidden" or "password removed"


Regards, Michael






-----------------------------------------------------------------
Yesterday is history, tomorrow is a mystery, but today is a gift.
That is why it is called the present. [Oogway - Kungfu Panda]
-----------------------------------------------------------------
Michael Harlow                     Private Bag 69
Network Engineer                   Hobart Tasmania 7001
IT Resources                       Ph  03 6226 1812
University of Tasmania             Mob 0438 26 1812
Michael.Harlow at utas.edu.au         Fx  03 6226 7171
-----------------------------------------------------------------
  


-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Hugh Irvine
Sent: Thursday, 15 January 2009 12:07 PM
To: Markus Moeller
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when using tacacs+ and trace 4, 5


Hello Markus -

Can we first of all determine whether or not Radiator logs cleartext  
passwords?

We don't think it does, but if we are wrong please correct us.

Our reluctance has to do with the fact that a simple protocol sniffer  
will show you exactly the same thing as is shown by Radiator - ie.  
obfuscated passwords.

Our reluctance is also due to the fact that a debug is meant to  
provide all of the information needed to fix problems - and the  
biggest problem tends to be with passwords.

If you can show us that Radiator is logging cleartext passwords we  
will look at fixing it.

If Radiator is logging the same packet data as shown by a sniffer,  
then we probably won't change anything.

regards

Hugh


On 15 Jan 2009, at 08:38, Markus Moeller wrote:

> Sorry to be persistent, but I don't understand your unwillingness to  
> hide the password during trace. Let me try to explain again why I  
> need it.
>
> We want to use Radiator as main  Radius and Tacacs authentication  
> server which forwards the requests to our central Active Directory  
> for password verification.  The server will be maintained by an  
> operations team of several people, who from time to time need to add  
> devices and troubleshoot issues. They are not always skilled enough  
> to know what  trace level to use (e.g. 3,4 or higher (usually  
> highest is best for them)), so they would see during troubleshooting  
> user passwords which possibly go into log files. Our internal audit  
> would not accept such a solution. They are saying "You don't leave  
> your cash openly on your desk in the office. You will put it in the  
> drawer even if it is unlocked to avoid any temptation."  It is not  
> against malicious users as we know there are always ways to get  
> around for privileged users, but they have to actively break rules  
> to get to passwords.
>
> A custom solution is also not acceptable as any patch need to be  
> verified against the changes etc....
>
> Could you reconsider your answer ?
>
> Thank you
> Markus
>
> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Cc: <radiator at open.com.au>
> Sent: Wednesday, January 14, 2009 7:02 AM
> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when  
> using tacacs+ and trace 4, 5
>
>
>>
>> Hello Markus -
>>
>> All I can suggest is your own custom code.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 14 Jan 2009, at 10:57, Markus Moeller wrote:
>>
>>> I still would like to see the password hidden during debug.  What   
>>> would convince you to include it ?
>>>
>>> Thank you
>>> Markus
>>>
>>> ----- Original Message ----- From: "Markus Moeller" <huaraz at moeller.plus.com
>>> >
>>> To: "Bjoern A. Zeeb" <bz-lists at cksoft.de>
>>> Cc: <radiator at open.com.au>
>>> Sent: Monday, March 10, 2008 1:11 AM
>>> Subject: Re: (RADIATOR) Patch to hide user password when using  
>>> tacacs + and trace 4,5
>>>
>>>
>>>>
>>>>
>>>>
>>>>> On Sun, 9 Mar 2008, Markus Moeller wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>>> The User-Password attribute is encoded when Radius is used and   
>>>>>> the logging with trace 4 or 5 does not reveal the password.
>>>>>
>>>>> You mean the password is ot revealed because it is "mangled/  
>>>>> obfucated"?
>>>>>
>>>>
>>>> Yes
>>>>
>>>>> You know the authenticator, you know the secret thus you know the
>>>>> plaintext password when looking at your tracelevel 4 logs.
>>>>>
>>>>
>>>> I also forward messages with syslog to a central syslog server  
>>>> for monitoring (although ususally not with trace 4,5 but can  
>>>> happen  when debugging)
>>>>
>>>>> If you say, but if joe random on that machine sees the logs he   
>>>>> doesn't
>>>>> know the secret, then it's a matter of the ownership/permissions  
>>>>> of
>>>>> your logfiles as it would be of your radius configuration.
>>>>>
>>>>
>>>> I may have logfiles readable for operators but not the clients  
>>>> file with the secrects
>>>>
>>>>> A tracelevel > 3 is there for aiding in debugging and it's pretty
>>>>> obvious that you can get a lot of information that way to find a
>>>>> problem.  That's how the system is designed to work.
>>>>>
>>>>
>>>> True, but for example the radius code has also a section  
>>>> commented  to not log the cleartext password.
>>>>
>>>>>
>>>>> just my 2cts.
>>>>>
>>>>
>>>> Thank you
>>>> Markus
>>>>
>>>>> -- 
>>>>> Dipl. Ing. (BA) Bjoern A. Zeeb          Research & Development
>>>>> CK Software GmbH                        http://www.cksoft.de/
>>>>> Schwarzwaldstr. 31                      Phone: +49 7452 889 135
>>>>> D-71131 Jettingen                       Fax: +49 7452 889 136
>>>>> HRB245288, Amtsgericht Stuttgart        Geschaeftsfuehrer:   
>>>>> Christian Kratzer
>>>>>
>>>>
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator



More information about the radiator mailing list