[RADIATOR] (RADIATOR) Patch to hide user password whenusingtacacs+ and trace 4, 5

Markus Moeller huaraz at moeller.plus.com
Mon Jun 8 05:43:10 CDT 2009


Hi Mike,

   I can't see what has changed. Can you point me to which file has changed 
please ?

Thank you
Markus
----- Original Message ----- 
From: "Mike McCauley" <mikem at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Cc: <radiator at open.com.au>
Sent: Friday, June 05, 2009 11:26 PM
Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password 
whenusingtacacs+ and trace 4, 5


> Hello Markus,
>
> thanks for your note.
> Our analysis shows that the fix required was different to the one you 
> sent.
> However, we have made the appropriate fix, and it is now available in the
> latest patch set.
> We apologise for any inconvenience.
>
> Please let me know how you get on.
> Cheers.
>
>
> On Saturday 06 June 2009 05:54:14 am Markus Moeller wrote:
>> Sorry it seems I overlooked another place where the TACACS password is
>> logged in clear.
>>
>> Would it be possible to change in line 573 in ServerTACACSPLUS.pm  the
>> following:
>>
>>     &main::log($main::LOG_DEBUG, "TACACSPLUS derived Radius request 
>> packet
>> dump:\n" . $tp->dump)
>>         if (&main::willLog($main::LOG_DEBUG, $self->{parent}));
>>
>> to (or similar):
>>
>>     my $dump = $tp->dump;
>>     $dump =~ s/User-Password = .*\n/User-Password = XXX\n/g;
>>     $dump =~ s/User-Password = .*$/User-Password = XXX/g;
>>     &main::log($main::LOG_DEBUG, "TACACSPLUS derived Radius request 
>> packet
>> dump:\n" . $dump)
>>         if (&main::willLog($main::LOG_DEBUG, $self->{parent}));
>>
>> Thank you
>> Markus
>>
>>
>>
>> ----- Original Message -----
>> From: "Markus Moeller" <huaraz at moeller.plus.com>
>> To: "Mike McCauley" <mikem at open.com.au>; <radiator at open.com.au>
>> Sent: Sunday, January 25, 2009 12:25 PM
>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password
>> whenusingtacacs+ and trace 4, 5
>>
>> > Thank you
>> > Markus
>> >
>> > ----- Original Message -----
>> > From: "Mike McCauley" <mikem at open.com.au>
>> > To: <radiator at open.com.au>
>> > Cc: "Markus Moeller" <huaraz at moeller.plus.com>
>> > Sent: Saturday, January 24, 2009 11:37 PM
>> > Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
>> > usingtacacs+ and trace 4, 5
>> >
>> >> Hello Markus,
>> >>
>> >> On Thursday 22 January 2009 07:34:43 am Markus Moeller wrote:
>> >>> Sorry, but what are your thoughts on this now ?
>> >>
>> >> We have now made changes to Tacacs+ authentication so that the 
>> >> plaintext
>> >> password is not logged, even at DEBUG level.
>> >>
>> >> The change is now in the latesst patch set.
>> >>
>> >> Thanks for your suggestion.
>> >>
>> >> Cheers.
>> >>
>> >>> Thank you
>> >>> Markus
>> >>>
>> >>> ----- Original Message -----
>> >>> From: "Markus Moeller" <huaraz at moeller.plus.com>
>> >>> To: "Hugh Irvine" <hugh at open.com.au>
>> >>> Cc: <radiator at open.com.au>
>> >>> Sent: Thursday, January 15, 2009 8:30 PM
>> >>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
>> >>> usingtacacs+ and trace 4, 5
>> >>>
>> >>> > Hugh,
>> >>> >
>> >>> > I am a bit surprised about your answer.  One of the difference
>> >>> > between Tacacs+ and Radius is that Tacacs+ encrypts the whole
>> >>> > communication between the NAS device and the Tacacs server and 
>> >>> > sends
>> >>> > all AV pairs in clear through the encrypted "tunnel" (The same way 
>> >>> > as
>> >>> > EAP-TLS does), whereas Radius uses clear text communication with an
>> >>> > encrypted password
>> >>> > in the password AV pair. So when you dump the AV pairs for Tacacs+
>> >>> > (and
>> >>> > EAP-TLS) it is after decrypting the tunnel, so it is all visible.
>> >>> > When you dump the AV pairs with Radius you have still the encrypted
>> >>> > password.
>> >>> >
>> >>> > Here is a trace 4 output, where XXX is the password.
>> >>> >
>> >>> > Thu Jan 15 10:41:41 2009: DEBUG: TacacsplusConnection 
>> >>> > Authentication
>> >>> > CONTINUE 0, markus,
>> >>> > Thu Jan 15 10:41:41 2009: DEBUG: TacacsplusConnection 
>> >>> > Authentication
>> >>> > REPLY 5, 1, Password: ,
>> >>> > Thu Jan 15 10:41:43 2009: DEBUG: TacacsplusConnection request 192, 
>> >>> > 1,
>> >>> > 5,
>> >>> > 0, 3401247729, 14
>> >>> > Thu Jan 15 10:41:43 2009: DEBUG: TacacsplusConnection 
>> >>> > Authentication
>> >>> > CONTINUE 0, XXX,
>> >>> > Thu Jan 15 10:41:43 2009: DEBUG: TACACSPLUS derived Radius request
>> >>> > packet
>> >>> > dump:
>> >>> > Code:       Access-Request
>> >>> > Identifier: UNDEF
>> >>> > Authentic:  N<244>d]<242><195><216><219>X<176><253>
>> >>> > <19><127><137><183>
>> >>> > Attributes:
>> >>> >        NAS-IP-Address = 10.1.3.1
>> >>> >        NAS-Port-Id = "tty18"
>> >>> >        Calling-Station-Id = "10.2.5.2"
>> >>> >        Service-Type = Login-User
>> >>> >        AuthType = tacacs
>> >>> >        User-Name = "markus"
>> >>> >        User-Password = XXX
>> >>> >        DeviceType = generic
>> >>> >        DeviceGroup = global
>> >>> >
>> >>> >
>> >>> > Regards
>> >>> > Markus
>> >>> >
>> >>> > ----- Original Message -----
>> >>> > From: "Hugh Irvine" <hugh at open.com.au>
>> >>> > To: "Markus Moeller" <huaraz at moeller.plus.com>
>> >>> > Cc: <radiator at open.com.au>
>> >>> > Sent: Thursday, January 15, 2009 1:06 AM
>> >>> > Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
>> >>> > using
>> >>> > tacacs+ and trace 4, 5
>> >>> >
>> >>> >> Hello Markus -
>> >>> >>
>> >>> >> Can we first of all determine whether or not Radiator logs 
>> >>> >> cleartext
>> >>> >> passwords?
>> >>> >>
>> >>> >> We don't think it does, but if we are wrong please correct us.
>> >>> >>
>> >>> >> Our reluctance has to do with the fact that a simple protocol
>> >>> >> sniffer will show you exactly the same thing as is shown by 
>> >>> >> Radiator
>> >>> >> - ie. obfuscated passwords.
>> >>> >>
>> >>> >> Our reluctance is also due to the fact that a debug is meant to
>> >>> >> provide
>> >>> >> all of the information needed to fix problems - and the  biggest
>> >>> >> problem
>> >>> >> tends to be with passwords.
>> >>> >>
>> >>> >> If you can show us that Radiator is logging cleartext passwords we
>> >>> >> will
>> >>> >> look at fixing it.
>> >>> >>
>> >>> >> If Radiator is logging the same packet data as shown by a sniffer,
>> >>> >> then
>> >>> >> we probably won't change anything.
>> >>> >>
>> >>> >> regards
>> >>> >>
>> >>> >> Hugh
>> >>> >>
>> >>> >> On 15 Jan 2009, at 08:38, Markus Moeller wrote:
>> >>> >>> Sorry to be persistent, but I don't understand your unwillingness
>> >>> >>> to hide the password during trace. Let me try to explain again 
>> >>> >>> why
>> >>> >>> I need
>> >>> >>> it.
>> >>> >>>
>> >>> >>> We want to use Radiator as main  Radius and Tacacs authentication
>> >>> >>> server which forwards the requests to our central Active 
>> >>> >>> Directory
>> >>> >>> for
>> >>> >>> password verification.  The server will be maintained by an
>> >>> >>> operations
>> >>> >>> team of several people, who from time to time need to add 
>> >>> >>> devices
>> >>> >>> and
>> >>> >>> troubleshoot issues. They are not always skilled enough  to know
>> >>> >>> what
>> >>> >>> trace level to use (e.g. 3,4 or higher (usually  highest is best
>> >>> >>> for them)), so they would see during troubleshooting  user
>> >>> >>> passwords which
>> >>> >>> possibly go into log files. Our internal audit  would not accept
>> >>> >>> such a
>> >>> >>> solution. They are saying "You don't leave  your cash openly on
>> >>> >>> your desk in the office. You will put it in the  drawer even if 
>> >>> >>> it
>> >>> >>> is unlocked to avoid any temptation."  It is not  against 
>> >>> >>> malicious
>> >>> >>> users
>> >>> >>> as we know there are always ways to get  around for privileged
>> >>> >>> users,
>> >>> >>> but they have to actively break rules  to get to passwords.
>> >>> >>>
>> >>> >>> A custom solution is also not acceptable as any patch need to be
>> >>> >>> verified against the changes etc....
>> >>> >>>
>> >>> >>> Could you reconsider your answer ?
>> >>> >>>
>> >>> >>> Thank you
>> >>> >>> Markus
>> >>> >>>
>> >>> >>> ----- Original Message ----- From: "Hugh Irvine" 
>> >>> >>> <hugh at open.com.au>
>> >>> >>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>> >>> >>> Cc: <radiator at open.com.au>
>> >>> >>> Sent: Wednesday, January 14, 2009 7:02 AM
>> >>> >>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password 
>> >>> >>> when
>> >>> >>> using tacacs+ and trace 4, 5
>> >>> >>>
>> >>> >>>> Hello Markus -
>> >>> >>>>
>> >>> >>>> All I can suggest is your own custom code.
>> >>> >>>>
>> >>> >>>> regards
>> >>> >>>>
>> >>> >>>> Hugh
>> >>> >>>>
>> >>> >>>> On 14 Jan 2009, at 10:57, Markus Moeller wrote:
>> >>> >>>>> I still would like to see the password hidden during debug. 
>> >>> >>>>> What
>> >>> >>>>> would convince you to include it ?
>> >>> >>>>>
>> >>> >>>>> Thank you
>> >>> >>>>> Markus
>> >>> >>>>>
>> >>> >>>>> ----- Original Message ----- From: "Markus Moeller"
>> >>> >>>>> <huaraz at moeller.plus.com
>> >>> >>>>>
>> >>> >>>>> To: "Bjoern A. Zeeb" <bz-lists at cksoft.de>
>> >>> >>>>> Cc: <radiator at open.com.au>
>> >>> >>>>> Sent: Monday, March 10, 2008 1:11 AM
>> >>> >>>>> Subject: Re: (RADIATOR) Patch to hide user password when using
>> >>> >>>>> tacacs + and trace 4,5
>> >>> >>>>>
>> >>> >>>>>>> On Sun, 9 Mar 2008, Markus Moeller wrote:
>> >>> >>>>>>>
>> >>> >>>>>>> Hi,
>> >>> >>>>>>>
>> >>> >>>>>>>> The User-Password attribute is encoded when Radius is used 
>> >>> >>>>>>>> and
>> >>> >>>>>>>> the logging with trace 4 or 5 does not reveal the password.
>> >>> >>>>>>>
>> >>> >>>>>>> You mean the password is ot revealed because it is "mangled/
>> >>> >>>>>>> obfucated"?
>> >>> >>>>>>
>> >>> >>>>>> Yes
>> >>> >>>>>>
>> >>> >>>>>>> You know the authenticator, you know the secret thus you know
>> >>> >>>>>>> the
>> >>> >>>>>>> plaintext password when looking at your tracelevel 4 logs.
>> >>> >>>>>>
>> >>> >>>>>> I also forward messages with syslog to a central syslog server
>> >>> >>>>>> for
>> >>> >>>>>> monitoring (although ususally not with trace 4,5 but can 
>> >>> >>>>>> happen
>> >>> >>>>>> when debugging)
>> >>> >>>>>>
>> >>> >>>>>>> If you say, but if joe random on that machine sees the logs 
>> >>> >>>>>>> he
>> >>> >>>>>>> doesn't
>> >>> >>>>>>> know the secret, then it's a matter of the
>> >>> >>>>>>> ownership/permissions of your logfiles as it would be of your
>> >>> >>>>>>> radius configuration.
>> >>> >>>>>>
>> >>> >>>>>> I may have logfiles readable for operators but not the clients
>> >>> >>>>>> file
>> >>> >>>>>> with the secrects
>> >>> >>>>>>
>> >>> >>>>>>> A tracelevel > 3 is there for aiding in debugging and it's
>> >>> >>>>>>> pretty
>> >>> >>>>>>> obvious that you can get a lot of information that way to 
>> >>> >>>>>>> find
>> >>> >>>>>>> a problem.  That's how the system is designed to work.
>> >>> >>>>>>
>> >>> >>>>>> True, but for example the radius code has also a section
>> >>> >>>>>> commented
>> >>> >>>>>> to not log the cleartext password.
>> >>> >>>>>>
>> >>> >>>>>>> just my 2cts.
>> >>> >>>>>>
>> >>> >>>>>> Thank you
>> >>> >>>>>> Markus
>> >>> >>>>>>
>> >>> >>>>>>> --
>> >>> >>>>>>> Dipl. Ing. (BA) Bjoern A. Zeeb          Research & 
>> >>> >>>>>>> Development
>> >>> >>>>>>> CK Software GmbH                        http://www.cksoft.de/
>> >>> >>>>>>> Schwarzwaldstr. 31                      Phone: +49 7452 889 
>> >>> >>>>>>> 135
>> >>> >>>>>>> D-71131 Jettingen                       Fax: +49 7452 889 136
>> >>> >>>>>>> HRB245288, Amtsgericht Stuttgart        Geschaeftsfuehrer:
>> >>> >>>>>>> Christian Kratzer
>> >>> >>>>>>
>> >>> >>>>>> --
>> >>> >>>>>> Archive at http://www.open.com.au/archives/radiator/
>> >>> >>>>>> Announcements on radiator-announce at open.com.au
>> >>> >>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>> >>> >>>>>> 'unsubscribe radiator' in the body of the message.
>> >>> >>>>>
>> >>> >>>>> _______________________________________________
>> >>> >>>>> radiator mailing list
>> >>> >>>>> radiator at open.com.au
>> >>> >>>>> http://www.open.com.au/mailman/listinfo/radiator
>> >>> >>>>
>> >>> >>>> NB:
>> >>> >>>>
>> >>> >>>> Have you read the reference manual ("doc/ref.html")?
>> >>> >>>> Have you searched the mailing list archive
>> >>> >>>> (www.open.com.au/archives/radiator)?
>> >>> >>>> Have you had a quick look on Google (www.google.com)?
>> >>> >>>> Have you included a copy of your configuration file (no 
>> >>> >>>> secrets),
>> >>> >>>> together with a trace 4 debug showing what is happening?
>> >>> >>>> Have you checked the RadiusExpert wiki:
>> >>> >>>> http://www.open.com.au/wiki/index.php/Main_Page
>> >>> >>>>
>> >>> >>>> --
>> >>> >>>> Radiator: the most portable, flexible and configurable RADIUS
>> >>> >>>> server
>> >>> >>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> >>> >>>> Includes support for reliable RADIUS transport (RadSec),
>> >>> >>>> and DIAMETER translation agent.
>> >>> >>>> -
>> >>> >>>> Nets: internetwork inventory and management - graphical,
>> >>> >>>> extensible,
>> >>> >>>> flexible with hardware, software, platform and database
>> >>> >>>> independence.
>> >>> >>>> -
>> >>> >>>> CATool: Private Certificate Authority for Unix and Unix-like
>> >>> >>>> systems.
>> >>> >>
>> >>> >> NB:
>> >>> >>
>> >>> >> Have you read the reference manual ("doc/ref.html")?
>> >>> >> Have you searched the mailing list archive
>> >>> >> (www.open.com.au/archives/radiator)?
>> >>> >> Have you had a quick look on Google (www.google.com)?
>> >>> >> Have you included a copy of your configuration file (no secrets),
>> >>> >> together with a trace 4 debug showing what is happening?
>> >>> >> Have you checked the RadiusExpert wiki:
>> >>> >> http://www.open.com.au/wiki/index.php/Main_Page
>> >>> >>
>> >>> >> --
>> >>> >> Radiator: the most portable, flexible and configurable RADIUS 
>> >>> >> server
>> >>> >> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> >>> >> Includes support for reliable RADIUS transport (RadSec),
>> >>> >> and DIAMETER translation agent.
>> >>> >> -
>> >>> >> Nets: internetwork inventory and management - graphical, 
>> >>> >> extensible,
>> >>> >> flexible with hardware, software, platform and database
>> >>> >> independence. -
>> >>> >> CATool: Private Certificate Authority for Unix and Unix-like
>> >>> >> systems.
>> >>> >
>> >>> > _______________________________________________
>> >>> > radiator mailing list
>> >>> > radiator at open.com.au
>> >>> > http://www.open.com.au/mailman/listinfo/radiator
>> >>>
>> >>> _______________________________________________
>> >>> radiator mailing list
>> >>> radiator at open.com.au
>> >>> http://www.open.com.au/mailman/listinfo/radiator
>> >>
>> >> --
>> >> Mike McCauley                               mikem at open.com.au
>> >> Open System Consultants Pty. Ltd
>> >> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
>> >> http://www.open.com.au Phone +61 7 5598-7474                       Fax
>> >> +61 7 5598-7070
>> >>
>> >> Radiator: the most portable, flexible and configurable RADIUS server
>> >> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> >> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, 
>> >> TLS,
>> >> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, DIAMETER etc. Full source
>> >> on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>> >
>> > _______________________________________________
>> > radiator mailing list
>> > radiator at open.com.au
>> > http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> -- 
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia 
> http://www.open.com.au
> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
> on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> 




More information about the radiator mailing list