[RADIATOR] (RADIATOR) Patch to hide user password whenusingtacacs+ and trace 4, 5
Mike McCauley
mikem at open.com.au
Fri Jun 5 17:26:11 CDT 2009
Hello Markus,
thanks for your note.
Our analysis shows that the fix required was different to the one you sent.
However, we have made the appropriate fix, and it is now available in the
latest patch set.
We apologise for any inconvenience.
Please let me know how you get on.
Cheers.
On Saturday 06 June 2009 05:54:14 am Markus Moeller wrote:
> Sorry it seems I overlooked another place where the TACACS password is
> logged in clear.
>
> Would it be possible to change in line 573 in ServerTACACSPLUS.pm the
> following:
>
> &main::log($main::LOG_DEBUG, "TACACSPLUS derived Radius request packet
> dump:\n" . $tp->dump)
> if (&main::willLog($main::LOG_DEBUG, $self->{parent}));
>
> to (or similar):
>
> my $dump = $tp->dump;
> $dump =~ s/User-Password = .*\n/User-Password = XXX\n/g;
> $dump =~ s/User-Password = .*$/User-Password = XXX/g;
> &main::log($main::LOG_DEBUG, "TACACSPLUS derived Radius request packet
> dump:\n" . $dump)
> if (&main::willLog($main::LOG_DEBUG, $self->{parent}));
>
> Thank you
> Markus
>
>
>
> ----- Original Message -----
> From: "Markus Moeller" <huaraz at moeller.plus.com>
> To: "Mike McCauley" <mikem at open.com.au>; <radiator at open.com.au>
> Sent: Sunday, January 25, 2009 12:25 PM
> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password
> whenusingtacacs+ and trace 4, 5
>
> > Thank you
> > Markus
> >
> > ----- Original Message -----
> > From: "Mike McCauley" <mikem at open.com.au>
> > To: <radiator at open.com.au>
> > Cc: "Markus Moeller" <huaraz at moeller.plus.com>
> > Sent: Saturday, January 24, 2009 11:37 PM
> > Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
> > usingtacacs+ and trace 4, 5
> >
> >> Hello Markus,
> >>
> >> On Thursday 22 January 2009 07:34:43 am Markus Moeller wrote:
> >>> Sorry, but what are your thoughts on this now ?
> >>
> >> We have now made changes to Tacacs+ authentication so that the plaintext
> >> password is not logged, even at DEBUG level.
> >>
> >> The change is now in the latesst patch set.
> >>
> >> Thanks for your suggestion.
> >>
> >> Cheers.
> >>
> >>> Thank you
> >>> Markus
> >>>
> >>> ----- Original Message -----
> >>> From: "Markus Moeller" <huaraz at moeller.plus.com>
> >>> To: "Hugh Irvine" <hugh at open.com.au>
> >>> Cc: <radiator at open.com.au>
> >>> Sent: Thursday, January 15, 2009 8:30 PM
> >>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
> >>> usingtacacs+ and trace 4, 5
> >>>
> >>> > Hugh,
> >>> >
> >>> > I am a bit surprised about your answer. One of the difference
> >>> > between Tacacs+ and Radius is that Tacacs+ encrypts the whole
> >>> > communication between the NAS device and the Tacacs server and sends
> >>> > all AV pairs in clear through the encrypted "tunnel" (The same way as
> >>> > EAP-TLS does), whereas Radius uses clear text communication with an
> >>> > encrypted password
> >>> > in the password AV pair. So when you dump the AV pairs for Tacacs+
> >>> > (and
> >>> > EAP-TLS) it is after decrypting the tunnel, so it is all visible.
> >>> > When you dump the AV pairs with Radius you have still the encrypted
> >>> > password.
> >>> >
> >>> > Here is a trace 4 output, where XXX is the password.
> >>> >
> >>> > Thu Jan 15 10:41:41 2009: DEBUG: TacacsplusConnection Authentication
> >>> > CONTINUE 0, markus,
> >>> > Thu Jan 15 10:41:41 2009: DEBUG: TacacsplusConnection Authentication
> >>> > REPLY 5, 1, Password: ,
> >>> > Thu Jan 15 10:41:43 2009: DEBUG: TacacsplusConnection request 192, 1,
> >>> > 5,
> >>> > 0, 3401247729, 14
> >>> > Thu Jan 15 10:41:43 2009: DEBUG: TacacsplusConnection Authentication
> >>> > CONTINUE 0, XXX,
> >>> > Thu Jan 15 10:41:43 2009: DEBUG: TACACSPLUS derived Radius request
> >>> > packet
> >>> > dump:
> >>> > Code: Access-Request
> >>> > Identifier: UNDEF
> >>> > Authentic: N<244>d]<242><195><216><219>X<176><253>
> >>> > <19><127><137><183>
> >>> > Attributes:
> >>> > NAS-IP-Address = 10.1.3.1
> >>> > NAS-Port-Id = "tty18"
> >>> > Calling-Station-Id = "10.2.5.2"
> >>> > Service-Type = Login-User
> >>> > AuthType = tacacs
> >>> > User-Name = "markus"
> >>> > User-Password = XXX
> >>> > DeviceType = generic
> >>> > DeviceGroup = global
> >>> >
> >>> >
> >>> > Regards
> >>> > Markus
> >>> >
> >>> > ----- Original Message -----
> >>> > From: "Hugh Irvine" <hugh at open.com.au>
> >>> > To: "Markus Moeller" <huaraz at moeller.plus.com>
> >>> > Cc: <radiator at open.com.au>
> >>> > Sent: Thursday, January 15, 2009 1:06 AM
> >>> > Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
> >>> > using
> >>> > tacacs+ and trace 4, 5
> >>> >
> >>> >> Hello Markus -
> >>> >>
> >>> >> Can we first of all determine whether or not Radiator logs cleartext
> >>> >> passwords?
> >>> >>
> >>> >> We don't think it does, but if we are wrong please correct us.
> >>> >>
> >>> >> Our reluctance has to do with the fact that a simple protocol
> >>> >> sniffer will show you exactly the same thing as is shown by Radiator
> >>> >> - ie. obfuscated passwords.
> >>> >>
> >>> >> Our reluctance is also due to the fact that a debug is meant to
> >>> >> provide
> >>> >> all of the information needed to fix problems - and the biggest
> >>> >> problem
> >>> >> tends to be with passwords.
> >>> >>
> >>> >> If you can show us that Radiator is logging cleartext passwords we
> >>> >> will
> >>> >> look at fixing it.
> >>> >>
> >>> >> If Radiator is logging the same packet data as shown by a sniffer,
> >>> >> then
> >>> >> we probably won't change anything.
> >>> >>
> >>> >> regards
> >>> >>
> >>> >> Hugh
> >>> >>
> >>> >> On 15 Jan 2009, at 08:38, Markus Moeller wrote:
> >>> >>> Sorry to be persistent, but I don't understand your unwillingness
> >>> >>> to hide the password during trace. Let me try to explain again why
> >>> >>> I need
> >>> >>> it.
> >>> >>>
> >>> >>> We want to use Radiator as main Radius and Tacacs authentication
> >>> >>> server which forwards the requests to our central Active Directory
> >>> >>> for
> >>> >>> password verification. The server will be maintained by an
> >>> >>> operations
> >>> >>> team of several people, who from time to time need to add devices
> >>> >>> and
> >>> >>> troubleshoot issues. They are not always skilled enough to know
> >>> >>> what
> >>> >>> trace level to use (e.g. 3,4 or higher (usually highest is best
> >>> >>> for them)), so they would see during troubleshooting user
> >>> >>> passwords which
> >>> >>> possibly go into log files. Our internal audit would not accept
> >>> >>> such a
> >>> >>> solution. They are saying "You don't leave your cash openly on
> >>> >>> your desk in the office. You will put it in the drawer even if it
> >>> >>> is unlocked to avoid any temptation." It is not against malicious
> >>> >>> users
> >>> >>> as we know there are always ways to get around for privileged
> >>> >>> users,
> >>> >>> but they have to actively break rules to get to passwords.
> >>> >>>
> >>> >>> A custom solution is also not acceptable as any patch need to be
> >>> >>> verified against the changes etc....
> >>> >>>
> >>> >>> Could you reconsider your answer ?
> >>> >>>
> >>> >>> Thank you
> >>> >>> Markus
> >>> >>>
> >>> >>> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
> >>> >>> To: "Markus Moeller" <huaraz at moeller.plus.com>
> >>> >>> Cc: <radiator at open.com.au>
> >>> >>> Sent: Wednesday, January 14, 2009 7:02 AM
> >>> >>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
> >>> >>> using tacacs+ and trace 4, 5
> >>> >>>
> >>> >>>> Hello Markus -
> >>> >>>>
> >>> >>>> All I can suggest is your own custom code.
> >>> >>>>
> >>> >>>> regards
> >>> >>>>
> >>> >>>> Hugh
> >>> >>>>
> >>> >>>> On 14 Jan 2009, at 10:57, Markus Moeller wrote:
> >>> >>>>> I still would like to see the password hidden during debug. What
> >>> >>>>> would convince you to include it ?
> >>> >>>>>
> >>> >>>>> Thank you
> >>> >>>>> Markus
> >>> >>>>>
> >>> >>>>> ----- Original Message ----- From: "Markus Moeller"
> >>> >>>>> <huaraz at moeller.plus.com
> >>> >>>>>
> >>> >>>>> To: "Bjoern A. Zeeb" <bz-lists at cksoft.de>
> >>> >>>>> Cc: <radiator at open.com.au>
> >>> >>>>> Sent: Monday, March 10, 2008 1:11 AM
> >>> >>>>> Subject: Re: (RADIATOR) Patch to hide user password when using
> >>> >>>>> tacacs + and trace 4,5
> >>> >>>>>
> >>> >>>>>>> On Sun, 9 Mar 2008, Markus Moeller wrote:
> >>> >>>>>>>
> >>> >>>>>>> Hi,
> >>> >>>>>>>
> >>> >>>>>>>> The User-Password attribute is encoded when Radius is used and
> >>> >>>>>>>> the logging with trace 4 or 5 does not reveal the password.
> >>> >>>>>>>
> >>> >>>>>>> You mean the password is ot revealed because it is "mangled/
> >>> >>>>>>> obfucated"?
> >>> >>>>>>
> >>> >>>>>> Yes
> >>> >>>>>>
> >>> >>>>>>> You know the authenticator, you know the secret thus you know
> >>> >>>>>>> the
> >>> >>>>>>> plaintext password when looking at your tracelevel 4 logs.
> >>> >>>>>>
> >>> >>>>>> I also forward messages with syslog to a central syslog server
> >>> >>>>>> for
> >>> >>>>>> monitoring (although ususally not with trace 4,5 but can happen
> >>> >>>>>> when debugging)
> >>> >>>>>>
> >>> >>>>>>> If you say, but if joe random on that machine sees the logs he
> >>> >>>>>>> doesn't
> >>> >>>>>>> know the secret, then it's a matter of the
> >>> >>>>>>> ownership/permissions of your logfiles as it would be of your
> >>> >>>>>>> radius configuration.
> >>> >>>>>>
> >>> >>>>>> I may have logfiles readable for operators but not the clients
> >>> >>>>>> file
> >>> >>>>>> with the secrects
> >>> >>>>>>
> >>> >>>>>>> A tracelevel > 3 is there for aiding in debugging and it's
> >>> >>>>>>> pretty
> >>> >>>>>>> obvious that you can get a lot of information that way to find
> >>> >>>>>>> a problem. That's how the system is designed to work.
> >>> >>>>>>
> >>> >>>>>> True, but for example the radius code has also a section
> >>> >>>>>> commented
> >>> >>>>>> to not log the cleartext password.
> >>> >>>>>>
> >>> >>>>>>> just my 2cts.
> >>> >>>>>>
> >>> >>>>>> Thank you
> >>> >>>>>> Markus
> >>> >>>>>>
> >>> >>>>>>> --
> >>> >>>>>>> Dipl. Ing. (BA) Bjoern A. Zeeb Research & Development
> >>> >>>>>>> CK Software GmbH http://www.cksoft.de/
> >>> >>>>>>> Schwarzwaldstr. 31 Phone: +49 7452 889 135
> >>> >>>>>>> D-71131 Jettingen Fax: +49 7452 889 136
> >>> >>>>>>> HRB245288, Amtsgericht Stuttgart Geschaeftsfuehrer:
> >>> >>>>>>> Christian Kratzer
> >>> >>>>>>
> >>> >>>>>> --
> >>> >>>>>> Archive at http://www.open.com.au/archives/radiator/
> >>> >>>>>> Announcements on radiator-announce at open.com.au
> >>> >>>>>> To unsubscribe, email 'majordomo at open.com.au' with
> >>> >>>>>> 'unsubscribe radiator' in the body of the message.
> >>> >>>>>
> >>> >>>>> _______________________________________________
> >>> >>>>> radiator mailing list
> >>> >>>>> radiator at open.com.au
> >>> >>>>> http://www.open.com.au/mailman/listinfo/radiator
> >>> >>>>
> >>> >>>> NB:
> >>> >>>>
> >>> >>>> Have you read the reference manual ("doc/ref.html")?
> >>> >>>> Have you searched the mailing list archive
> >>> >>>> (www.open.com.au/archives/radiator)?
> >>> >>>> Have you had a quick look on Google (www.google.com)?
> >>> >>>> Have you included a copy of your configuration file (no secrets),
> >>> >>>> together with a trace 4 debug showing what is happening?
> >>> >>>> Have you checked the RadiusExpert wiki:
> >>> >>>> http://www.open.com.au/wiki/index.php/Main_Page
> >>> >>>>
> >>> >>>> --
> >>> >>>> Radiator: the most portable, flexible and configurable RADIUS
> >>> >>>> server
> >>> >>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >>> >>>> Includes support for reliable RADIUS transport (RadSec),
> >>> >>>> and DIAMETER translation agent.
> >>> >>>> -
> >>> >>>> Nets: internetwork inventory and management - graphical,
> >>> >>>> extensible,
> >>> >>>> flexible with hardware, software, platform and database
> >>> >>>> independence.
> >>> >>>> -
> >>> >>>> CATool: Private Certificate Authority for Unix and Unix-like
> >>> >>>> systems.
> >>> >>
> >>> >> NB:
> >>> >>
> >>> >> Have you read the reference manual ("doc/ref.html")?
> >>> >> Have you searched the mailing list archive
> >>> >> (www.open.com.au/archives/radiator)?
> >>> >> Have you had a quick look on Google (www.google.com)?
> >>> >> Have you included a copy of your configuration file (no secrets),
> >>> >> together with a trace 4 debug showing what is happening?
> >>> >> Have you checked the RadiusExpert wiki:
> >>> >> http://www.open.com.au/wiki/index.php/Main_Page
> >>> >>
> >>> >> --
> >>> >> Radiator: the most portable, flexible and configurable RADIUS server
> >>> >> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >>> >> Includes support for reliable RADIUS transport (RadSec),
> >>> >> and DIAMETER translation agent.
> >>> >> -
> >>> >> Nets: internetwork inventory and management - graphical, extensible,
> >>> >> flexible with hardware, software, platform and database
> >>> >> independence. -
> >>> >> CATool: Private Certificate Authority for Unix and Unix-like
> >>> >> systems.
> >>> >
> >>> > _______________________________________________
> >>> > radiator mailing list
> >>> > radiator at open.com.au
> >>> > http://www.open.com.au/mailman/listinfo/radiator
> >>>
> >>> _______________________________________________
> >>> radiator mailing list
> >>> radiator at open.com.au
> >>> http://www.open.com.au/mailman/listinfo/radiator
> >>
> >> --
> >> Mike McCauley mikem at open.com.au
> >> Open System Consultants Pty. Ltd
> >> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> >> http://www.open.com.au Phone +61 7 5598-7474 Fax
> >> +61 7 5598-7070
> >>
> >> Radiator: the most portable, flexible and configurable RADIUS server
> >> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> >> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> >> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, DIAMETER etc. Full source
> >> on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> >
> > _______________________________________________
> > radiator mailing list
> > radiator at open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list