[RADIATOR] (RADIATOR) Patch to hide user password when usingtacacs+ and trace 4, 5
Markus Moeller
huaraz at moeller.plus.com
Wed Jan 21 15:34:43 CST 2009
Sorry, but what are your thoughts on this now ?
Thank you
Markus
----- Original Message -----
From: "Markus Moeller" <huaraz at moeller.plus.com>
To: "Hugh Irvine" <hugh at open.com.au>
Cc: <radiator at open.com.au>
Sent: Thursday, January 15, 2009 8:30 PM
Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
usingtacacs+ and trace 4, 5
> Hugh,
>
> I am a bit surprised about your answer. One of the difference between
> Tacacs+ and Radius is that Tacacs+ encrypts the whole communication
> between the NAS device and the Tacacs server and sends all AV pairs in
> clear through the encrypted "tunnel" (The same way as EAP-TLS does),
> whereas Radius uses clear text communication with an encrypted password in
> the password AV pair. So when you dump the AV pairs for Tacacs+ (and
> EAP-TLS) it is after decrypting the tunnel, so it is all visible. When you
> dump the AV pairs with Radius you have still the encrypted password.
>
> Here is a trace 4 output, where XXX is the password.
>
> Thu Jan 15 10:41:41 2009: DEBUG: TacacsplusConnection Authentication
> CONTINUE 0, markus,
> Thu Jan 15 10:41:41 2009: DEBUG: TacacsplusConnection Authentication REPLY
> 5, 1, Password: ,
> Thu Jan 15 10:41:43 2009: DEBUG: TacacsplusConnection request 192, 1, 5,
> 0, 3401247729, 14
> Thu Jan 15 10:41:43 2009: DEBUG: TacacsplusConnection Authentication
> CONTINUE 0, XXX,
> Thu Jan 15 10:41:43 2009: DEBUG: TACACSPLUS derived Radius request packet
> dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: N<244>d]<242><195><216><219>X<176><253> <19><127><137><183>
> Attributes:
> NAS-IP-Address = 10.1.3.1
> NAS-Port-Id = "tty18"
> Calling-Station-Id = "10.2.5.2"
> Service-Type = Login-User
> AuthType = tacacs
> User-Name = "markus"
> User-Password = XXX
> DeviceType = generic
> DeviceGroup = global
>
>
> Regards
> Markus
>
> ----- Original Message -----
> From: "Hugh Irvine" <hugh at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Cc: <radiator at open.com.au>
> Sent: Thursday, January 15, 2009 1:06 AM
> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when using
> tacacs+ and trace 4, 5
>
>
>>
>> Hello Markus -
>>
>> Can we first of all determine whether or not Radiator logs cleartext
>> passwords?
>>
>> We don't think it does, but if we are wrong please correct us.
>>
>> Our reluctance has to do with the fact that a simple protocol sniffer
>> will show you exactly the same thing as is shown by Radiator - ie.
>> obfuscated passwords.
>>
>> Our reluctance is also due to the fact that a debug is meant to provide
>> all of the information needed to fix problems - and the biggest problem
>> tends to be with passwords.
>>
>> If you can show us that Radiator is logging cleartext passwords we will
>> look at fixing it.
>>
>> If Radiator is logging the same packet data as shown by a sniffer, then
>> we probably won't change anything.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 15 Jan 2009, at 08:38, Markus Moeller wrote:
>>
>>> Sorry to be persistent, but I don't understand your unwillingness to
>>> hide the password during trace. Let me try to explain again why I need
>>> it.
>>>
>>> We want to use Radiator as main Radius and Tacacs authentication
>>> server which forwards the requests to our central Active Directory for
>>> password verification. The server will be maintained by an operations
>>> team of several people, who from time to time need to add devices and
>>> troubleshoot issues. They are not always skilled enough to know what
>>> trace level to use (e.g. 3,4 or higher (usually highest is best for
>>> them)), so they would see during troubleshooting user passwords which
>>> possibly go into log files. Our internal audit would not accept such a
>>> solution. They are saying "You don't leave your cash openly on your
>>> desk in the office. You will put it in the drawer even if it is
>>> unlocked to avoid any temptation." It is not against malicious users
>>> as we know there are always ways to get around for privileged users,
>>> but they have to actively break rules to get to passwords.
>>>
>>> A custom solution is also not acceptable as any patch need to be
>>> verified against the changes etc....
>>>
>>> Could you reconsider your answer ?
>>>
>>> Thank you
>>> Markus
>>>
>>> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
>>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>>> Cc: <radiator at open.com.au>
>>> Sent: Wednesday, January 14, 2009 7:02 AM
>>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
>>> using tacacs+ and trace 4, 5
>>>
>>>
>>>>
>>>> Hello Markus -
>>>>
>>>> All I can suggest is your own custom code.
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 14 Jan 2009, at 10:57, Markus Moeller wrote:
>>>>
>>>>> I still would like to see the password hidden during debug. What
>>>>> would convince you to include it ?
>>>>>
>>>>> Thank you
>>>>> Markus
>>>>>
>>>>> ----- Original Message ----- From: "Markus Moeller"
>>>>> <huaraz at moeller.plus.com
>>>>> >
>>>>> To: "Bjoern A. Zeeb" <bz-lists at cksoft.de>
>>>>> Cc: <radiator at open.com.au>
>>>>> Sent: Monday, March 10, 2008 1:11 AM
>>>>> Subject: Re: (RADIATOR) Patch to hide user password when using tacacs
>>>>> + and trace 4,5
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> On Sun, 9 Mar 2008, Markus Moeller wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>>> The User-Password attribute is encoded when Radius is used and
>>>>>>>> the logging with trace 4 or 5 does not reveal the password.
>>>>>>>
>>>>>>> You mean the password is ot revealed because it is "mangled/
>>>>>>> obfucated"?
>>>>>>>
>>>>>>
>>>>>> Yes
>>>>>>
>>>>>>> You know the authenticator, you know the secret thus you know the
>>>>>>> plaintext password when looking at your tracelevel 4 logs.
>>>>>>>
>>>>>>
>>>>>> I also forward messages with syslog to a central syslog server for
>>>>>> monitoring (although ususally not with trace 4,5 but can happen
>>>>>> when debugging)
>>>>>>
>>>>>>> If you say, but if joe random on that machine sees the logs he
>>>>>>> doesn't
>>>>>>> know the secret, then it's a matter of the ownership/permissions of
>>>>>>> your logfiles as it would be of your radius configuration.
>>>>>>>
>>>>>>
>>>>>> I may have logfiles readable for operators but not the clients file
>>>>>> with the secrects
>>>>>>
>>>>>>> A tracelevel > 3 is there for aiding in debugging and it's pretty
>>>>>>> obvious that you can get a lot of information that way to find a
>>>>>>> problem. That's how the system is designed to work.
>>>>>>>
>>>>>>
>>>>>> True, but for example the radius code has also a section commented
>>>>>> to not log the cleartext password.
>>>>>>
>>>>>>>
>>>>>>> just my 2cts.
>>>>>>>
>>>>>>
>>>>>> Thank you
>>>>>> Markus
>>>>>>
>>>>>>> --
>>>>>>> Dipl. Ing. (BA) Bjoern A. Zeeb Research & Development
>>>>>>> CK Software GmbH http://www.cksoft.de/
>>>>>>> Schwarzwaldstr. 31 Phone: +49 7452 889 135
>>>>>>> D-71131 Jettingen Fax: +49 7452 889 136
>>>>>>> HRB245288, Amtsgericht Stuttgart Geschaeftsfuehrer: Christian
>>>>>>> Kratzer
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>> Announcements on radiator-announce at open.com.au
>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> radiator mailing list
>>>>> radiator at open.com.au
>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>
>>>>
>>>>
>>>> NB:
>>>>
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive
>>>> (www.open.com.au/archives/radiator)?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>> Have you checked the RadiusExpert wiki:
>>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>>
>>>> --
>>>> Radiator: the most portable, flexible and configurable RADIUS server
>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>> Includes support for reliable RADIUS transport (RadSec),
>>>> and DIAMETER translation agent.
>>>> -
>>>> Nets: internetwork inventory and management - graphical, extensible,
>>>> flexible with hardware, software, platform and database independence.
>>>> -
>>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>>>
>>>>
>>>
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive
>> (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
More information about the radiator
mailing list