[RADIATOR] (RADIATOR) Patch to hide user password whenusingtacacs+ and trace 4, 5
Markus Moeller
huaraz at moeller.plus.com
Fri Jun 5 14:54:14 CDT 2009
Sorry it seems I overlooked another place where the TACACS password is
logged in clear.
Would it be possible to change in line 573 in ServerTACACSPLUS.pm the
following:
&main::log($main::LOG_DEBUG, "TACACSPLUS derived Radius request packet
dump:\n" . $tp->dump)
if (&main::willLog($main::LOG_DEBUG, $self->{parent}));
to (or similar):
my $dump = $tp->dump;
$dump =~ s/User-Password = .*\n/User-Password = XXX\n/g;
$dump =~ s/User-Password = .*$/User-Password = XXX/g;
&main::log($main::LOG_DEBUG, "TACACSPLUS derived Radius request packet
dump:\n" . $dump)
if (&main::willLog($main::LOG_DEBUG, $self->{parent}));
Thank you
Markus
----- Original Message -----
From: "Markus Moeller" <huaraz at moeller.plus.com>
To: "Mike McCauley" <mikem at open.com.au>; <radiator at open.com.au>
Sent: Sunday, January 25, 2009 12:25 PM
Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password
whenusingtacacs+ and trace 4, 5
> Thank you
> Markus
>
> ----- Original Message -----
> From: "Mike McCauley" <mikem at open.com.au>
> To: <radiator at open.com.au>
> Cc: "Markus Moeller" <huaraz at moeller.plus.com>
> Sent: Saturday, January 24, 2009 11:37 PM
> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
> usingtacacs+ and trace 4, 5
>
>
>> Hello Markus,
>>
>>
>> On Thursday 22 January 2009 07:34:43 am Markus Moeller wrote:
>>> Sorry, but what are your thoughts on this now ?
>>
>> We have now made changes to Tacacs+ authentication so that the plaintext
>> password is not logged, even at DEBUG level.
>>
>> The change is now in the latesst patch set.
>>
>> Thanks for your suggestion.
>>
>> Cheers.
>>
>>>
>>> Thank you
>>> Markus
>>>
>>> ----- Original Message -----
>>> From: "Markus Moeller" <huaraz at moeller.plus.com>
>>> To: "Hugh Irvine" <hugh at open.com.au>
>>> Cc: <radiator at open.com.au>
>>> Sent: Thursday, January 15, 2009 8:30 PM
>>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
>>> usingtacacs+ and trace 4, 5
>>>
>>> > Hugh,
>>> >
>>> > I am a bit surprised about your answer. One of the difference between
>>> > Tacacs+ and Radius is that Tacacs+ encrypts the whole communication
>>> > between the NAS device and the Tacacs server and sends all AV pairs in
>>> > clear through the encrypted "tunnel" (The same way as EAP-TLS does),
>>> > whereas Radius uses clear text communication with an encrypted
>>> > password
>>> > in the password AV pair. So when you dump the AV pairs for Tacacs+
>>> > (and
>>> > EAP-TLS) it is after decrypting the tunnel, so it is all visible. When
>>> > you dump the AV pairs with Radius you have still the encrypted
>>> > password.
>>> >
>>> > Here is a trace 4 output, where XXX is the password.
>>> >
>>> > Thu Jan 15 10:41:41 2009: DEBUG: TacacsplusConnection Authentication
>>> > CONTINUE 0, markus,
>>> > Thu Jan 15 10:41:41 2009: DEBUG: TacacsplusConnection Authentication
>>> > REPLY 5, 1, Password: ,
>>> > Thu Jan 15 10:41:43 2009: DEBUG: TacacsplusConnection request 192, 1,
>>> > 5,
>>> > 0, 3401247729, 14
>>> > Thu Jan 15 10:41:43 2009: DEBUG: TacacsplusConnection Authentication
>>> > CONTINUE 0, XXX,
>>> > Thu Jan 15 10:41:43 2009: DEBUG: TACACSPLUS derived Radius request
>>> > packet
>>> > dump:
>>> > Code: Access-Request
>>> > Identifier: UNDEF
>>> > Authentic: N<244>d]<242><195><216><219>X<176><253>
>>> > <19><127><137><183>
>>> > Attributes:
>>> > NAS-IP-Address = 10.1.3.1
>>> > NAS-Port-Id = "tty18"
>>> > Calling-Station-Id = "10.2.5.2"
>>> > Service-Type = Login-User
>>> > AuthType = tacacs
>>> > User-Name = "markus"
>>> > User-Password = XXX
>>> > DeviceType = generic
>>> > DeviceGroup = global
>>> >
>>> >
>>> > Regards
>>> > Markus
>>> >
>>> > ----- Original Message -----
>>> > From: "Hugh Irvine" <hugh at open.com.au>
>>> > To: "Markus Moeller" <huaraz at moeller.plus.com>
>>> > Cc: <radiator at open.com.au>
>>> > Sent: Thursday, January 15, 2009 1:06 AM
>>> > Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
>>> > using
>>> > tacacs+ and trace 4, 5
>>> >
>>> >> Hello Markus -
>>> >>
>>> >> Can we first of all determine whether or not Radiator logs cleartext
>>> >> passwords?
>>> >>
>>> >> We don't think it does, but if we are wrong please correct us.
>>> >>
>>> >> Our reluctance has to do with the fact that a simple protocol sniffer
>>> >> will show you exactly the same thing as is shown by Radiator - ie.
>>> >> obfuscated passwords.
>>> >>
>>> >> Our reluctance is also due to the fact that a debug is meant to
>>> >> provide
>>> >> all of the information needed to fix problems - and the biggest
>>> >> problem
>>> >> tends to be with passwords.
>>> >>
>>> >> If you can show us that Radiator is logging cleartext passwords we
>>> >> will
>>> >> look at fixing it.
>>> >>
>>> >> If Radiator is logging the same packet data as shown by a sniffer,
>>> >> then
>>> >> we probably won't change anything.
>>> >>
>>> >> regards
>>> >>
>>> >> Hugh
>>> >>
>>> >> On 15 Jan 2009, at 08:38, Markus Moeller wrote:
>>> >>> Sorry to be persistent, but I don't understand your unwillingness to
>>> >>> hide the password during trace. Let me try to explain again why I
>>> >>> need
>>> >>> it.
>>> >>>
>>> >>> We want to use Radiator as main Radius and Tacacs authentication
>>> >>> server which forwards the requests to our central Active Directory
>>> >>> for
>>> >>> password verification. The server will be maintained by an
>>> >>> operations
>>> >>> team of several people, who from time to time need to add devices
>>> >>> and
>>> >>> troubleshoot issues. They are not always skilled enough to know
>>> >>> what
>>> >>> trace level to use (e.g. 3,4 or higher (usually highest is best for
>>> >>> them)), so they would see during troubleshooting user passwords
>>> >>> which
>>> >>> possibly go into log files. Our internal audit would not accept
>>> >>> such a
>>> >>> solution. They are saying "You don't leave your cash openly on your
>>> >>> desk in the office. You will put it in the drawer even if it is
>>> >>> unlocked to avoid any temptation." It is not against malicious
>>> >>> users
>>> >>> as we know there are always ways to get around for privileged
>>> >>> users,
>>> >>> but they have to actively break rules to get to passwords.
>>> >>>
>>> >>> A custom solution is also not acceptable as any patch need to be
>>> >>> verified against the changes etc....
>>> >>>
>>> >>> Could you reconsider your answer ?
>>> >>>
>>> >>> Thank you
>>> >>> Markus
>>> >>>
>>> >>> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
>>> >>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>>> >>> Cc: <radiator at open.com.au>
>>> >>> Sent: Wednesday, January 14, 2009 7:02 AM
>>> >>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
>>> >>> using tacacs+ and trace 4, 5
>>> >>>
>>> >>>> Hello Markus -
>>> >>>>
>>> >>>> All I can suggest is your own custom code.
>>> >>>>
>>> >>>> regards
>>> >>>>
>>> >>>> Hugh
>>> >>>>
>>> >>>> On 14 Jan 2009, at 10:57, Markus Moeller wrote:
>>> >>>>> I still would like to see the password hidden during debug. What
>>> >>>>> would convince you to include it ?
>>> >>>>>
>>> >>>>> Thank you
>>> >>>>> Markus
>>> >>>>>
>>> >>>>> ----- Original Message ----- From: "Markus Moeller"
>>> >>>>> <huaraz at moeller.plus.com
>>> >>>>>
>>> >>>>> To: "Bjoern A. Zeeb" <bz-lists at cksoft.de>
>>> >>>>> Cc: <radiator at open.com.au>
>>> >>>>> Sent: Monday, March 10, 2008 1:11 AM
>>> >>>>> Subject: Re: (RADIATOR) Patch to hide user password when using
>>> >>>>> tacacs + and trace 4,5
>>> >>>>>
>>> >>>>>>> On Sun, 9 Mar 2008, Markus Moeller wrote:
>>> >>>>>>>
>>> >>>>>>> Hi,
>>> >>>>>>>
>>> >>>>>>>> The User-Password attribute is encoded when Radius is used and
>>> >>>>>>>> the logging with trace 4 or 5 does not reveal the password.
>>> >>>>>>>
>>> >>>>>>> You mean the password is ot revealed because it is "mangled/
>>> >>>>>>> obfucated"?
>>> >>>>>>
>>> >>>>>> Yes
>>> >>>>>>
>>> >>>>>>> You know the authenticator, you know the secret thus you know
>>> >>>>>>> the
>>> >>>>>>> plaintext password when looking at your tracelevel 4 logs.
>>> >>>>>>
>>> >>>>>> I also forward messages with syslog to a central syslog server
>>> >>>>>> for
>>> >>>>>> monitoring (although ususally not with trace 4,5 but can happen
>>> >>>>>> when debugging)
>>> >>>>>>
>>> >>>>>>> If you say, but if joe random on that machine sees the logs he
>>> >>>>>>> doesn't
>>> >>>>>>> know the secret, then it's a matter of the ownership/permissions
>>> >>>>>>> of your logfiles as it would be of your radius configuration.
>>> >>>>>>
>>> >>>>>> I may have logfiles readable for operators but not the clients
>>> >>>>>> file
>>> >>>>>> with the secrects
>>> >>>>>>
>>> >>>>>>> A tracelevel > 3 is there for aiding in debugging and it's
>>> >>>>>>> pretty
>>> >>>>>>> obvious that you can get a lot of information that way to find a
>>> >>>>>>> problem. That's how the system is designed to work.
>>> >>>>>>
>>> >>>>>> True, but for example the radius code has also a section
>>> >>>>>> commented
>>> >>>>>> to not log the cleartext password.
>>> >>>>>>
>>> >>>>>>> just my 2cts.
>>> >>>>>>
>>> >>>>>> Thank you
>>> >>>>>> Markus
>>> >>>>>>
>>> >>>>>>> --
>>> >>>>>>> Dipl. Ing. (BA) Bjoern A. Zeeb Research & Development
>>> >>>>>>> CK Software GmbH http://www.cksoft.de/
>>> >>>>>>> Schwarzwaldstr. 31 Phone: +49 7452 889 135
>>> >>>>>>> D-71131 Jettingen Fax: +49 7452 889 136
>>> >>>>>>> HRB245288, Amtsgericht Stuttgart Geschaeftsfuehrer:
>>> >>>>>>> Christian Kratzer
>>> >>>>>>
>>> >>>>>> --
>>> >>>>>> Archive at http://www.open.com.au/archives/radiator/
>>> >>>>>> Announcements on radiator-announce at open.com.au
>>> >>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> >>>>>> 'unsubscribe radiator' in the body of the message.
>>> >>>>>
>>> >>>>> _______________________________________________
>>> >>>>> radiator mailing list
>>> >>>>> radiator at open.com.au
>>> >>>>> http://www.open.com.au/mailman/listinfo/radiator
>>> >>>>
>>> >>>> NB:
>>> >>>>
>>> >>>> Have you read the reference manual ("doc/ref.html")?
>>> >>>> Have you searched the mailing list archive
>>> >>>> (www.open.com.au/archives/radiator)?
>>> >>>> Have you had a quick look on Google (www.google.com)?
>>> >>>> Have you included a copy of your configuration file (no secrets),
>>> >>>> together with a trace 4 debug showing what is happening?
>>> >>>> Have you checked the RadiusExpert wiki:
>>> >>>> http://www.open.com.au/wiki/index.php/Main_Page
>>> >>>>
>>> >>>> --
>>> >>>> Radiator: the most portable, flexible and configurable RADIUS
>>> >>>> server
>>> >>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> >>>> Includes support for reliable RADIUS transport (RadSec),
>>> >>>> and DIAMETER translation agent.
>>> >>>> -
>>> >>>> Nets: internetwork inventory and management - graphical,
>>> >>>> extensible,
>>> >>>> flexible with hardware, software, platform and database
>>> >>>> independence.
>>> >>>> -
>>> >>>> CATool: Private Certificate Authority for Unix and Unix-like
>>> >>>> systems.
>>> >>
>>> >> NB:
>>> >>
>>> >> Have you read the reference manual ("doc/ref.html")?
>>> >> Have you searched the mailing list archive
>>> >> (www.open.com.au/archives/radiator)?
>>> >> Have you had a quick look on Google (www.google.com)?
>>> >> Have you included a copy of your configuration file (no secrets),
>>> >> together with a trace 4 debug showing what is happening?
>>> >> Have you checked the RadiusExpert wiki:
>>> >> http://www.open.com.au/wiki/index.php/Main_Page
>>> >>
>>> >> --
>>> >> Radiator: the most portable, flexible and configurable RADIUS server
>>> >> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> >> Includes support for reliable RADIUS transport (RadSec),
>>> >> and DIAMETER translation agent.
>>> >> -
>>> >> Nets: internetwork inventory and management - graphical, extensible,
>>> >> flexible with hardware, software, platform and database independence.
>>> >> -
>>> >> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>> >
>>> > _______________________________________________
>>> > radiator mailing list
>>> > radiator at open.com.au
>>> > http://www.open.com.au/mailman/listinfo/radiator
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> --
>> Mike McCauley mikem at open.com.au
>> Open System Consultants Pty. Ltd
>> 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
>> Phone +61 7 5598-7474 Fax +61 7 5598-7070
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, DIAMETER etc. Full source
>> on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
More information about the radiator
mailing list