[RADIATOR] (RADIATOR) Patch to hide user password when usingtacacs+ and trace 4, 5
Mike McCauley
mikem at open.com.au
Sat Jan 24 17:37:09 CST 2009
Hello Markus,
On Thursday 22 January 2009 07:34:43 am Markus Moeller wrote:
> Sorry, but what are your thoughts on this now ?
We have now made changes to Tacacs+ authentication so that the plaintext
password is not logged, even at DEBUG level.
The change is now in the latesst patch set.
Thanks for your suggestion.
Cheers.
>
> Thank you
> Markus
>
> ----- Original Message -----
> From: "Markus Moeller" <huaraz at moeller.plus.com>
> To: "Hugh Irvine" <hugh at open.com.au>
> Cc: <radiator at open.com.au>
> Sent: Thursday, January 15, 2009 8:30 PM
> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
> usingtacacs+ and trace 4, 5
>
> > Hugh,
> >
> > I am a bit surprised about your answer. One of the difference between
> > Tacacs+ and Radius is that Tacacs+ encrypts the whole communication
> > between the NAS device and the Tacacs server and sends all AV pairs in
> > clear through the encrypted "tunnel" (The same way as EAP-TLS does),
> > whereas Radius uses clear text communication with an encrypted password
> > in the password AV pair. So when you dump the AV pairs for Tacacs+ (and
> > EAP-TLS) it is after decrypting the tunnel, so it is all visible. When
> > you dump the AV pairs with Radius you have still the encrypted password.
> >
> > Here is a trace 4 output, where XXX is the password.
> >
> > Thu Jan 15 10:41:41 2009: DEBUG: TacacsplusConnection Authentication
> > CONTINUE 0, markus,
> > Thu Jan 15 10:41:41 2009: DEBUG: TacacsplusConnection Authentication
> > REPLY 5, 1, Password: ,
> > Thu Jan 15 10:41:43 2009: DEBUG: TacacsplusConnection request 192, 1, 5,
> > 0, 3401247729, 14
> > Thu Jan 15 10:41:43 2009: DEBUG: TacacsplusConnection Authentication
> > CONTINUE 0, XXX,
> > Thu Jan 15 10:41:43 2009: DEBUG: TACACSPLUS derived Radius request packet
> > dump:
> > Code: Access-Request
> > Identifier: UNDEF
> > Authentic: N<244>d]<242><195><216><219>X<176><253> <19><127><137><183>
> > Attributes:
> > NAS-IP-Address = 10.1.3.1
> > NAS-Port-Id = "tty18"
> > Calling-Station-Id = "10.2.5.2"
> > Service-Type = Login-User
> > AuthType = tacacs
> > User-Name = "markus"
> > User-Password = XXX
> > DeviceType = generic
> > DeviceGroup = global
> >
> >
> > Regards
> > Markus
> >
> > ----- Original Message -----
> > From: "Hugh Irvine" <hugh at open.com.au>
> > To: "Markus Moeller" <huaraz at moeller.plus.com>
> > Cc: <radiator at open.com.au>
> > Sent: Thursday, January 15, 2009 1:06 AM
> > Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when using
> > tacacs+ and trace 4, 5
> >
> >> Hello Markus -
> >>
> >> Can we first of all determine whether or not Radiator logs cleartext
> >> passwords?
> >>
> >> We don't think it does, but if we are wrong please correct us.
> >>
> >> Our reluctance has to do with the fact that a simple protocol sniffer
> >> will show you exactly the same thing as is shown by Radiator - ie.
> >> obfuscated passwords.
> >>
> >> Our reluctance is also due to the fact that a debug is meant to provide
> >> all of the information needed to fix problems - and the biggest problem
> >> tends to be with passwords.
> >>
> >> If you can show us that Radiator is logging cleartext passwords we will
> >> look at fixing it.
> >>
> >> If Radiator is logging the same packet data as shown by a sniffer, then
> >> we probably won't change anything.
> >>
> >> regards
> >>
> >> Hugh
> >>
> >> On 15 Jan 2009, at 08:38, Markus Moeller wrote:
> >>> Sorry to be persistent, but I don't understand your unwillingness to
> >>> hide the password during trace. Let me try to explain again why I need
> >>> it.
> >>>
> >>> We want to use Radiator as main Radius and Tacacs authentication
> >>> server which forwards the requests to our central Active Directory for
> >>> password verification. The server will be maintained by an operations
> >>> team of several people, who from time to time need to add devices and
> >>> troubleshoot issues. They are not always skilled enough to know what
> >>> trace level to use (e.g. 3,4 or higher (usually highest is best for
> >>> them)), so they would see during troubleshooting user passwords which
> >>> possibly go into log files. Our internal audit would not accept such a
> >>> solution. They are saying "You don't leave your cash openly on your
> >>> desk in the office. You will put it in the drawer even if it is
> >>> unlocked to avoid any temptation." It is not against malicious users
> >>> as we know there are always ways to get around for privileged users,
> >>> but they have to actively break rules to get to passwords.
> >>>
> >>> A custom solution is also not acceptable as any patch need to be
> >>> verified against the changes etc....
> >>>
> >>> Could you reconsider your answer ?
> >>>
> >>> Thank you
> >>> Markus
> >>>
> >>> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
> >>> To: "Markus Moeller" <huaraz at moeller.plus.com>
> >>> Cc: <radiator at open.com.au>
> >>> Sent: Wednesday, January 14, 2009 7:02 AM
> >>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
> >>> using tacacs+ and trace 4, 5
> >>>
> >>>> Hello Markus -
> >>>>
> >>>> All I can suggest is your own custom code.
> >>>>
> >>>> regards
> >>>>
> >>>> Hugh
> >>>>
> >>>> On 14 Jan 2009, at 10:57, Markus Moeller wrote:
> >>>>> I still would like to see the password hidden during debug. What
> >>>>> would convince you to include it ?
> >>>>>
> >>>>> Thank you
> >>>>> Markus
> >>>>>
> >>>>> ----- Original Message ----- From: "Markus Moeller"
> >>>>> <huaraz at moeller.plus.com
> >>>>>
> >>>>> To: "Bjoern A. Zeeb" <bz-lists at cksoft.de>
> >>>>> Cc: <radiator at open.com.au>
> >>>>> Sent: Monday, March 10, 2008 1:11 AM
> >>>>> Subject: Re: (RADIATOR) Patch to hide user password when using
> >>>>> tacacs + and trace 4,5
> >>>>>
> >>>>>>> On Sun, 9 Mar 2008, Markus Moeller wrote:
> >>>>>>>
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>>> The User-Password attribute is encoded when Radius is used and
> >>>>>>>> the logging with trace 4 or 5 does not reveal the password.
> >>>>>>>
> >>>>>>> You mean the password is ot revealed because it is "mangled/
> >>>>>>> obfucated"?
> >>>>>>
> >>>>>> Yes
> >>>>>>
> >>>>>>> You know the authenticator, you know the secret thus you know the
> >>>>>>> plaintext password when looking at your tracelevel 4 logs.
> >>>>>>
> >>>>>> I also forward messages with syslog to a central syslog server for
> >>>>>> monitoring (although ususally not with trace 4,5 but can happen
> >>>>>> when debugging)
> >>>>>>
> >>>>>>> If you say, but if joe random on that machine sees the logs he
> >>>>>>> doesn't
> >>>>>>> know the secret, then it's a matter of the ownership/permissions
> >>>>>>> of your logfiles as it would be of your radius configuration.
> >>>>>>
> >>>>>> I may have logfiles readable for operators but not the clients file
> >>>>>> with the secrects
> >>>>>>
> >>>>>>> A tracelevel > 3 is there for aiding in debugging and it's pretty
> >>>>>>> obvious that you can get a lot of information that way to find a
> >>>>>>> problem. That's how the system is designed to work.
> >>>>>>
> >>>>>> True, but for example the radius code has also a section commented
> >>>>>> to not log the cleartext password.
> >>>>>>
> >>>>>>> just my 2cts.
> >>>>>>
> >>>>>> Thank you
> >>>>>> Markus
> >>>>>>
> >>>>>>> --
> >>>>>>> Dipl. Ing. (BA) Bjoern A. Zeeb Research & Development
> >>>>>>> CK Software GmbH http://www.cksoft.de/
> >>>>>>> Schwarzwaldstr. 31 Phone: +49 7452 889 135
> >>>>>>> D-71131 Jettingen Fax: +49 7452 889 136
> >>>>>>> HRB245288, Amtsgericht Stuttgart Geschaeftsfuehrer:
> >>>>>>> Christian Kratzer
> >>>>>>
> >>>>>> --
> >>>>>> Archive at http://www.open.com.au/archives/radiator/
> >>>>>> Announcements on radiator-announce at open.com.au
> >>>>>> To unsubscribe, email 'majordomo at open.com.au' with
> >>>>>> 'unsubscribe radiator' in the body of the message.
> >>>>>
> >>>>> _______________________________________________
> >>>>> radiator mailing list
> >>>>> radiator at open.com.au
> >>>>> http://www.open.com.au/mailman/listinfo/radiator
> >>>>
> >>>> NB:
> >>>>
> >>>> Have you read the reference manual ("doc/ref.html")?
> >>>> Have you searched the mailing list archive
> >>>> (www.open.com.au/archives/radiator)?
> >>>> Have you had a quick look on Google (www.google.com)?
> >>>> Have you included a copy of your configuration file (no secrets),
> >>>> together with a trace 4 debug showing what is happening?
> >>>> Have you checked the RadiusExpert wiki:
> >>>> http://www.open.com.au/wiki/index.php/Main_Page
> >>>>
> >>>> --
> >>>> Radiator: the most portable, flexible and configurable RADIUS server
> >>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >>>> Includes support for reliable RADIUS transport (RadSec),
> >>>> and DIAMETER translation agent.
> >>>> -
> >>>> Nets: internetwork inventory and management - graphical, extensible,
> >>>> flexible with hardware, software, platform and database independence.
> >>>> -
> >>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
> >>
> >> NB:
> >>
> >> Have you read the reference manual ("doc/ref.html")?
> >> Have you searched the mailing list archive
> >> (www.open.com.au/archives/radiator)?
> >> Have you had a quick look on Google (www.google.com)?
> >> Have you included a copy of your configuration file (no secrets),
> >> together with a trace 4 debug showing what is happening?
> >> Have you checked the RadiusExpert wiki:
> >> http://www.open.com.au/wiki/index.php/Main_Page
> >>
> >> --
> >> Radiator: the most portable, flexible and configurable RADIUS server
> >> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >> Includes support for reliable RADIUS transport (RadSec),
> >> and DIAMETER translation agent.
> >> -
> >> Nets: internetwork inventory and management - graphical, extensible,
> >> flexible with hardware, software, platform and database independence.
> >> -
> >> CATool: Private Certificate Authority for Unix and Unix-like systems.
> >
> > _______________________________________________
> > radiator mailing list
> > radiator at open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, DIAMETER etc. Full source
on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list