[RADIATOR] (RADIATOR) Patch to hide user password when using tacacs+ and trace 4, 5

Markus Moeller huaraz at moeller.plus.com
Thu Jan 15 14:30:31 CST 2009 

Hugh,

I am a bit surprised about your answer.  One of the difference between 
Tacacs+ and Radius is that Tacacs+ encrypts the whole communication between 
the NAS device and the Tacacs server and sends all AV pairs in clear through 
the encrypted "tunnel" (The same way as EAP-TLS does), whereas Radius uses 
clear text communication with an encrypted password in the password AV pair. 
So when you dump the AV pairs for Tacacs+ (and EAP-TLS) it is after 
decrypting the tunnel, so it is all visible. When you dump the AV pairs with 
Radius you have still the encrypted password.

Here is a trace 4 output, where XXX is the password.

Thu Jan 15 10:41:41 2009: DEBUG: TacacsplusConnection Authentication 
CONTINUE 0, markus,
Thu Jan 15 10:41:41 2009: DEBUG: TacacsplusConnection Authentication REPLY 
5, 1, Password: ,
Thu Jan 15 10:41:43 2009: DEBUG: TacacsplusConnection request 192, 1, 5, 0, 
3401247729, 14
Thu Jan 15 10:41:43 2009: DEBUG: TacacsplusConnection Authentication 
CONTINUE 0, XXX,
Thu Jan 15 10:41:43 2009: DEBUG: TACACSPLUS derived Radius request packet
dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  N<244>d]<242><195><216><219>X<176><253> <19><127><137><183>
Attributes:
        NAS-IP-Address = 10.1.3.1
        NAS-Port-Id = "tty18"
        Calling-Station-Id = "10.2.5.2"
        Service-Type = Login-User
        AuthType = tacacs
        User-Name = "markus"
        User-Password = XXX
        DeviceType = generic
        DeviceGroup = global


Regards
Markus

----- Original Message ----- 
From: "Hugh Irvine" <hugh at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Cc: <radiator at open.com.au>
Sent: Thursday, January 15, 2009 1:06 AM
Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when using 
tacacs+ and trace 4, 5


>
> Hello Markus -
>
> Can we first of all determine whether or not Radiator logs cleartext 
> passwords?
>
> We don't think it does, but if we are wrong please correct us.
>
> Our reluctance has to do with the fact that a simple protocol sniffer 
> will show you exactly the same thing as is shown by Radiator - ie. 
> obfuscated passwords.
>
> Our reluctance is also due to the fact that a debug is meant to  provide 
> all of the information needed to fix problems - and the  biggest problem 
> tends to be with passwords.
>
> If you can show us that Radiator is logging cleartext passwords we  will 
> look at fixing it.
>
> If Radiator is logging the same packet data as shown by a sniffer,  then 
> we probably won't change anything.
>
> regards
>
> Hugh
>
>
> On 15 Jan 2009, at 08:38, Markus Moeller wrote:
>
>> Sorry to be persistent, but I don't understand your unwillingness to 
>> hide the password during trace. Let me try to explain again why I  need 
>> it.
>>
>> We want to use Radiator as main  Radius and Tacacs authentication  server 
>> which forwards the requests to our central Active Directory  for password 
>> verification.  The server will be maintained by an  operations team of 
>> several people, who from time to time need to add  devices and 
>> troubleshoot issues. They are not always skilled enough  to know what 
>> trace level to use (e.g. 3,4 or higher (usually  highest is best for 
>> them)), so they would see during troubleshooting  user passwords which 
>> possibly go into log files. Our internal audit  would not accept such a 
>> solution. They are saying "You don't leave  your cash openly on your desk 
>> in the office. You will put it in the  drawer even if it is unlocked to 
>> avoid any temptation."  It is not  against malicious users as we know 
>> there are always ways to get  around for privileged users, but they have 
>> to actively break rules  to get to passwords.
>>
>> A custom solution is also not acceptable as any patch need to be 
>> verified against the changes etc....
>>
>> Could you reconsider your answer ?
>>
>> Thank you
>> Markus
>>
>> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>> Cc: <radiator at open.com.au>
>> Sent: Wednesday, January 14, 2009 7:02 AM
>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when 
>> using tacacs+ and trace 4, 5
>>
>>
>>>
>>> Hello Markus -
>>>
>>> All I can suggest is your own custom code.
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 14 Jan 2009, at 10:57, Markus Moeller wrote:
>>>
>>>> I still would like to see the password hidden during debug.  What 
>>>> would convince you to include it ?
>>>>
>>>> Thank you
>>>> Markus
>>>>
>>>> ----- Original Message ----- From: "Markus Moeller" 
>>>> <huaraz at moeller.plus.com
>>>> >
>>>> To: "Bjoern A. Zeeb" <bz-lists at cksoft.de>
>>>> Cc: <radiator at open.com.au>
>>>> Sent: Monday, March 10, 2008 1:11 AM
>>>> Subject: Re: (RADIATOR) Patch to hide user password when using  tacacs 
>>>> + and trace 4,5
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>> On Sun, 9 Mar 2008, Markus Moeller wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>>> The User-Password attribute is encoded when Radius is used and   the 
>>>>>>> logging with trace 4 or 5 does not reveal the password.
>>>>>>
>>>>>> You mean the password is ot revealed because it is "mangled/ 
>>>>>> obfucated"?
>>>>>>
>>>>>
>>>>> Yes
>>>>>
>>>>>> You know the authenticator, you know the secret thus you know the
>>>>>> plaintext password when looking at your tracelevel 4 logs.
>>>>>>
>>>>>
>>>>> I also forward messages with syslog to a central syslog server  for 
>>>>> monitoring (although ususally not with trace 4,5 but can  happen  when 
>>>>> debugging)
>>>>>
>>>>>> If you say, but if joe random on that machine sees the logs he 
>>>>>> doesn't
>>>>>> know the secret, then it's a matter of the ownership/permissions  of
>>>>>> your logfiles as it would be of your radius configuration.
>>>>>>
>>>>>
>>>>> I may have logfiles readable for operators but not the clients  file 
>>>>> with the secrects
>>>>>
>>>>>> A tracelevel > 3 is there for aiding in debugging and it's pretty
>>>>>> obvious that you can get a lot of information that way to find a
>>>>>> problem.  That's how the system is designed to work.
>>>>>>
>>>>>
>>>>> True, but for example the radius code has also a section  commented 
>>>>> to not log the cleartext password.
>>>>>
>>>>>>
>>>>>> just my 2cts.
>>>>>>
>>>>>
>>>>> Thank you
>>>>> Markus
>>>>>
>>>>>> -- 
>>>>>> Dipl. Ing. (BA) Bjoern A. Zeeb          Research & Development
>>>>>> CK Software GmbH                        http://www.cksoft.de/
>>>>>> Schwarzwaldstr. 31                      Phone: +49 7452 889 135
>>>>>> D-71131 Jettingen                       Fax: +49 7452 889 136
>>>>>> HRB245288, Amtsgericht Stuttgart        Geschaeftsfuehrer: 
>>>>>> Christian Kratzer
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>> Announcements on radiator-announce at open.com.au
>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive 
>>> (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>> Have you checked the RadiusExpert wiki:
>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>
>>> -- 
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> Includes support for reliable RADIUS transport (RadSec),
>>> and DIAMETER translation agent.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>>
>>>
>>
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive 
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>

More information about the radiator mailing list