[RADIATOR] (RADIATOR) Patch to hide user password when usingtacacs+ and trace 4, 5

Markus Moeller huaraz at moeller.plus.com
Sun Jan 25 05:25:15 CST 2009


Thank you
Markus

----- Original Message ----- 
From: "Mike McCauley" <mikem at open.com.au>
To: <radiator at open.com.au>
Cc: "Markus Moeller" <huaraz at moeller.plus.com>
Sent: Saturday, January 24, 2009 11:37 PM
Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when 
usingtacacs+ and trace 4, 5


> Hello Markus,
>
>
> On Thursday 22 January 2009 07:34:43 am Markus Moeller wrote:
>> Sorry, but what are your thoughts on this now ?
>
> We have now made changes to Tacacs+ authentication so that the plaintext
> password is not logged, even at DEBUG level.
>
> The change is now in the latesst patch set.
>
> Thanks for your suggestion.
>
> Cheers.
>
>>
>> Thank you
>> Markus
>>
>> ----- Original Message -----
>> From: "Markus Moeller" <huaraz at moeller.plus.com>
>> To: "Hugh Irvine" <hugh at open.com.au>
>> Cc: <radiator at open.com.au>
>> Sent: Thursday, January 15, 2009 8:30 PM
>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
>> usingtacacs+ and trace 4, 5
>>
>> > Hugh,
>> >
>> > I am a bit surprised about your answer.  One of the difference between
>> > Tacacs+ and Radius is that Tacacs+ encrypts the whole communication
>> > between the NAS device and the Tacacs server and sends all AV pairs in
>> > clear through the encrypted "tunnel" (The same way as EAP-TLS does),
>> > whereas Radius uses clear text communication with an encrypted password
>> > in the password AV pair. So when you dump the AV pairs for Tacacs+ (and
>> > EAP-TLS) it is after decrypting the tunnel, so it is all visible. When
>> > you dump the AV pairs with Radius you have still the encrypted 
>> > password.
>> >
>> > Here is a trace 4 output, where XXX is the password.
>> >
>> > Thu Jan 15 10:41:41 2009: DEBUG: TacacsplusConnection Authentication
>> > CONTINUE 0, markus,
>> > Thu Jan 15 10:41:41 2009: DEBUG: TacacsplusConnection Authentication
>> > REPLY 5, 1, Password: ,
>> > Thu Jan 15 10:41:43 2009: DEBUG: TacacsplusConnection request 192, 1, 
>> > 5,
>> > 0, 3401247729, 14
>> > Thu Jan 15 10:41:43 2009: DEBUG: TacacsplusConnection Authentication
>> > CONTINUE 0, XXX,
>> > Thu Jan 15 10:41:43 2009: DEBUG: TACACSPLUS derived Radius request 
>> > packet
>> > dump:
>> > Code:       Access-Request
>> > Identifier: UNDEF
>> > Authentic:  N<244>d]<242><195><216><219>X<176><253> <19><127><137><183>
>> > Attributes:
>> >        NAS-IP-Address = 10.1.3.1
>> >        NAS-Port-Id = "tty18"
>> >        Calling-Station-Id = "10.2.5.2"
>> >        Service-Type = Login-User
>> >        AuthType = tacacs
>> >        User-Name = "markus"
>> >        User-Password = XXX
>> >        DeviceType = generic
>> >        DeviceGroup = global
>> >
>> >
>> > Regards
>> > Markus
>> >
>> > ----- Original Message -----
>> > From: "Hugh Irvine" <hugh at open.com.au>
>> > To: "Markus Moeller" <huaraz at moeller.plus.com>
>> > Cc: <radiator at open.com.au>
>> > Sent: Thursday, January 15, 2009 1:06 AM
>> > Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when 
>> > using
>> > tacacs+ and trace 4, 5
>> >
>> >> Hello Markus -
>> >>
>> >> Can we first of all determine whether or not Radiator logs cleartext
>> >> passwords?
>> >>
>> >> We don't think it does, but if we are wrong please correct us.
>> >>
>> >> Our reluctance has to do with the fact that a simple protocol sniffer
>> >> will show you exactly the same thing as is shown by Radiator - ie.
>> >> obfuscated passwords.
>> >>
>> >> Our reluctance is also due to the fact that a debug is meant to 
>> >> provide
>> >> all of the information needed to fix problems - and the  biggest 
>> >> problem
>> >> tends to be with passwords.
>> >>
>> >> If you can show us that Radiator is logging cleartext passwords we 
>> >> will
>> >> look at fixing it.
>> >>
>> >> If Radiator is logging the same packet data as shown by a sniffer, 
>> >> then
>> >> we probably won't change anything.
>> >>
>> >> regards
>> >>
>> >> Hugh
>> >>
>> >> On 15 Jan 2009, at 08:38, Markus Moeller wrote:
>> >>> Sorry to be persistent, but I don't understand your unwillingness to
>> >>> hide the password during trace. Let me try to explain again why I 
>> >>> need
>> >>> it.
>> >>>
>> >>> We want to use Radiator as main  Radius and Tacacs authentication
>> >>> server which forwards the requests to our central Active Directory 
>> >>> for
>> >>> password verification.  The server will be maintained by an 
>> >>> operations
>> >>> team of several people, who from time to time need to add  devices 
>> >>> and
>> >>> troubleshoot issues. They are not always skilled enough  to know what
>> >>> trace level to use (e.g. 3,4 or higher (usually  highest is best for
>> >>> them)), so they would see during troubleshooting  user passwords 
>> >>> which
>> >>> possibly go into log files. Our internal audit  would not accept such 
>> >>> a
>> >>> solution. They are saying "You don't leave  your cash openly on your
>> >>> desk in the office. You will put it in the  drawer even if it is
>> >>> unlocked to avoid any temptation."  It is not  against malicious 
>> >>> users
>> >>> as we know there are always ways to get  around for privileged users,
>> >>> but they have to actively break rules  to get to passwords.
>> >>>
>> >>> A custom solution is also not acceptable as any patch need to be
>> >>> verified against the changes etc....
>> >>>
>> >>> Could you reconsider your answer ?
>> >>>
>> >>> Thank you
>> >>> Markus
>> >>>
>> >>> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
>> >>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>> >>> Cc: <radiator at open.com.au>
>> >>> Sent: Wednesday, January 14, 2009 7:02 AM
>> >>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
>> >>> using tacacs+ and trace 4, 5
>> >>>
>> >>>> Hello Markus -
>> >>>>
>> >>>> All I can suggest is your own custom code.
>> >>>>
>> >>>> regards
>> >>>>
>> >>>> Hugh
>> >>>>
>> >>>> On 14 Jan 2009, at 10:57, Markus Moeller wrote:
>> >>>>> I still would like to see the password hidden during debug.  What
>> >>>>> would convince you to include it ?
>> >>>>>
>> >>>>> Thank you
>> >>>>> Markus
>> >>>>>
>> >>>>> ----- Original Message ----- From: "Markus Moeller"
>> >>>>> <huaraz at moeller.plus.com
>> >>>>>
>> >>>>> To: "Bjoern A. Zeeb" <bz-lists at cksoft.de>
>> >>>>> Cc: <radiator at open.com.au>
>> >>>>> Sent: Monday, March 10, 2008 1:11 AM
>> >>>>> Subject: Re: (RADIATOR) Patch to hide user password when using
>> >>>>> tacacs + and trace 4,5
>> >>>>>
>> >>>>>>> On Sun, 9 Mar 2008, Markus Moeller wrote:
>> >>>>>>>
>> >>>>>>> Hi,
>> >>>>>>>
>> >>>>>>>> The User-Password attribute is encoded when Radius is used and
>> >>>>>>>> the logging with trace 4 or 5 does not reveal the password.
>> >>>>>>>
>> >>>>>>> You mean the password is ot revealed because it is "mangled/
>> >>>>>>> obfucated"?
>> >>>>>>
>> >>>>>> Yes
>> >>>>>>
>> >>>>>>> You know the authenticator, you know the secret thus you know the
>> >>>>>>> plaintext password when looking at your tracelevel 4 logs.
>> >>>>>>
>> >>>>>> I also forward messages with syslog to a central syslog server 
>> >>>>>> for
>> >>>>>> monitoring (although ususally not with trace 4,5 but can  happen
>> >>>>>> when debugging)
>> >>>>>>
>> >>>>>>> If you say, but if joe random on that machine sees the logs he
>> >>>>>>> doesn't
>> >>>>>>> know the secret, then it's a matter of the ownership/permissions
>> >>>>>>> of your logfiles as it would be of your radius configuration.
>> >>>>>>
>> >>>>>> I may have logfiles readable for operators but not the clients 
>> >>>>>> file
>> >>>>>> with the secrects
>> >>>>>>
>> >>>>>>> A tracelevel > 3 is there for aiding in debugging and it's pretty
>> >>>>>>> obvious that you can get a lot of information that way to find a
>> >>>>>>> problem.  That's how the system is designed to work.
>> >>>>>>
>> >>>>>> True, but for example the radius code has also a section 
>> >>>>>> commented
>> >>>>>> to not log the cleartext password.
>> >>>>>>
>> >>>>>>> just my 2cts.
>> >>>>>>
>> >>>>>> Thank you
>> >>>>>> Markus
>> >>>>>>
>> >>>>>>> --
>> >>>>>>> Dipl. Ing. (BA) Bjoern A. Zeeb          Research & Development
>> >>>>>>> CK Software GmbH                        http://www.cksoft.de/
>> >>>>>>> Schwarzwaldstr. 31                      Phone: +49 7452 889 135
>> >>>>>>> D-71131 Jettingen                       Fax: +49 7452 889 136
>> >>>>>>> HRB245288, Amtsgericht Stuttgart        Geschaeftsfuehrer:
>> >>>>>>> Christian Kratzer
>> >>>>>>
>> >>>>>> --
>> >>>>>> Archive at http://www.open.com.au/archives/radiator/
>> >>>>>> Announcements on radiator-announce at open.com.au
>> >>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>> >>>>>> 'unsubscribe radiator' in the body of the message.
>> >>>>>
>> >>>>> _______________________________________________
>> >>>>> radiator mailing list
>> >>>>> radiator at open.com.au
>> >>>>> http://www.open.com.au/mailman/listinfo/radiator
>> >>>>
>> >>>> NB:
>> >>>>
>> >>>> Have you read the reference manual ("doc/ref.html")?
>> >>>> Have you searched the mailing list archive
>> >>>> (www.open.com.au/archives/radiator)?
>> >>>> Have you had a quick look on Google (www.google.com)?
>> >>>> Have you included a copy of your configuration file (no secrets),
>> >>>> together with a trace 4 debug showing what is happening?
>> >>>> Have you checked the RadiusExpert wiki:
>> >>>> http://www.open.com.au/wiki/index.php/Main_Page
>> >>>>
>> >>>> --
>> >>>> Radiator: the most portable, flexible and configurable RADIUS server
>> >>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> >>>> Includes support for reliable RADIUS transport (RadSec),
>> >>>> and DIAMETER translation agent.
>> >>>> -
>> >>>> Nets: internetwork inventory and management - graphical, extensible,
>> >>>> flexible with hardware, software, platform and database 
>> >>>> independence.
>> >>>> -
>> >>>> CATool: Private Certificate Authority for Unix and Unix-like 
>> >>>> systems.
>> >>
>> >> NB:
>> >>
>> >> Have you read the reference manual ("doc/ref.html")?
>> >> Have you searched the mailing list archive
>> >> (www.open.com.au/archives/radiator)?
>> >> Have you had a quick look on Google (www.google.com)?
>> >> Have you included a copy of your configuration file (no secrets),
>> >> together with a trace 4 debug showing what is happening?
>> >> Have you checked the RadiusExpert wiki:
>> >> http://www.open.com.au/wiki/index.php/Main_Page
>> >>
>> >> --
>> >> Radiator: the most portable, flexible and configurable RADIUS server
>> >> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> >> Includes support for reliable RADIUS transport (RadSec),
>> >> and DIAMETER translation agent.
>> >> -
>> >> Nets: internetwork inventory and management - graphical, extensible,
>> >> flexible with hardware, software, platform and database independence.
>> >> -
>> >> CATool: Private Certificate Authority for Unix and Unix-like systems.
>> >
>> > _______________________________________________
>> > radiator mailing list
>> > radiator at open.com.au
>> > http://www.open.com.au/mailman/listinfo/radiator
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> -- 
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia 
> http://www.open.com.au
> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, DIAMETER etc. Full source
> on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> 




More information about the radiator mailing list