[RADIATOR] (RADIATOR) Patch to hide user password whenusingtacacs+ and trace 4, 5

Mike McCauley mikem at open.com.au
Mon Jun 8 06:06:00 CDT 2009


Hello Markus,

On Monday 08 June 2009 08:43:10 pm Markus Moeller wrote:
> Hi Mike,
>
>    I can't see what has changed. Can you point me to which file has changed
> please ?

ServerTACACSPLUS.pm, about line 682.

Cheers.

>
> Thank you
> Markus
> ----- Original Message -----
> From: "Mike McCauley" <mikem at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Cc: <radiator at open.com.au>
> Sent: Friday, June 05, 2009 11:26 PM
> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password
> whenusingtacacs+ and trace 4, 5
>
> > Hello Markus,
> >
> > thanks for your note.
> > Our analysis shows that the fix required was different to the one you
> > sent.
> > However, we have made the appropriate fix, and it is now available in the
> > latest patch set.
> > We apologise for any inconvenience.
> >
> > Please let me know how you get on.
> > Cheers.
> >
> > On Saturday 06 June 2009 05:54:14 am Markus Moeller wrote:
> >> Sorry it seems I overlooked another place where the TACACS password is
> >> logged in clear.
> >>
> >> Would it be possible to change in line 573 in ServerTACACSPLUS.pm  the
> >> following:
> >>
> >>     &main::log($main::LOG_DEBUG, "TACACSPLUS derived Radius request
> >> packet
> >> dump:\n" . $tp->dump)
> >>         if (&main::willLog($main::LOG_DEBUG, $self->{parent}));
> >>
> >> to (or similar):
> >>
> >>     my $dump = $tp->dump;
> >>     $dump =~ s/User-Password = .*\n/User-Password = XXX\n/g;
> >>     $dump =~ s/User-Password = .*$/User-Password = XXX/g;
> >>     &main::log($main::LOG_DEBUG, "TACACSPLUS derived Radius request
> >> packet
> >> dump:\n" . $dump)
> >>         if (&main::willLog($main::LOG_DEBUG, $self->{parent}));
> >>
> >> Thank you
> >> Markus
> >>
> >>
> >>
> >> ----- Original Message -----
> >> From: "Markus Moeller" <huaraz at moeller.plus.com>
> >> To: "Mike McCauley" <mikem at open.com.au>; <radiator at open.com.au>
> >> Sent: Sunday, January 25, 2009 12:25 PM
> >> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password
> >> whenusingtacacs+ and trace 4, 5
> >>
> >> > Thank you
> >> > Markus
> >> >
> >> > ----- Original Message -----
> >> > From: "Mike McCauley" <mikem at open.com.au>
> >> > To: <radiator at open.com.au>
> >> > Cc: "Markus Moeller" <huaraz at moeller.plus.com>
> >> > Sent: Saturday, January 24, 2009 11:37 PM
> >> > Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
> >> > usingtacacs+ and trace 4, 5
> >> >
> >> >> Hello Markus,
> >> >>
> >> >> On Thursday 22 January 2009 07:34:43 am Markus Moeller wrote:
> >> >>> Sorry, but what are your thoughts on this now ?
> >> >>
> >> >> We have now made changes to Tacacs+ authentication so that the
> >> >> plaintext
> >> >> password is not logged, even at DEBUG level.
> >> >>
> >> >> The change is now in the latesst patch set.
> >> >>
> >> >> Thanks for your suggestion.
> >> >>
> >> >> Cheers.
> >> >>
> >> >>> Thank you
> >> >>> Markus
> >> >>>
> >> >>> ----- Original Message -----
> >> >>> From: "Markus Moeller" <huaraz at moeller.plus.com>
> >> >>> To: "Hugh Irvine" <hugh at open.com.au>
> >> >>> Cc: <radiator at open.com.au>
> >> >>> Sent: Thursday, January 15, 2009 8:30 PM
> >> >>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
> >> >>> usingtacacs+ and trace 4, 5
> >> >>>
> >> >>> > Hugh,
> >> >>> >
> >> >>> > I am a bit surprised about your answer.  One of the difference
> >> >>> > between Tacacs+ and Radius is that Tacacs+ encrypts the whole
> >> >>> > communication between the NAS device and the Tacacs server and
> >> >>> > sends
> >> >>> > all AV pairs in clear through the encrypted "tunnel" (The same way
> >> >>> > as
> >> >>> > EAP-TLS does), whereas Radius uses clear text communication with
> >> >>> > an encrypted password
> >> >>> > in the password AV pair. So when you dump the AV pairs for Tacacs+
> >> >>> > (and
> >> >>> > EAP-TLS) it is after decrypting the tunnel, so it is all visible.
> >> >>> > When you dump the AV pairs with Radius you have still the
> >> >>> > encrypted password.
> >> >>> >
> >> >>> > Here is a trace 4 output, where XXX is the password.
> >> >>> >
> >> >>> > Thu Jan 15 10:41:41 2009: DEBUG: TacacsplusConnection
> >> >>> > Authentication
> >> >>> > CONTINUE 0, markus,
> >> >>> > Thu Jan 15 10:41:41 2009: DEBUG: TacacsplusConnection
> >> >>> > Authentication
> >> >>> > REPLY 5, 1, Password: ,
> >> >>> > Thu Jan 15 10:41:43 2009: DEBUG: TacacsplusConnection request 192,
> >> >>> > 1,
> >> >>> > 5,
> >> >>> > 0, 3401247729, 14
> >> >>> > Thu Jan 15 10:41:43 2009: DEBUG: TacacsplusConnection
> >> >>> > Authentication
> >> >>> > CONTINUE 0, XXX,
> >> >>> > Thu Jan 15 10:41:43 2009: DEBUG: TACACSPLUS derived Radius request
> >> >>> > packet
> >> >>> > dump:
> >> >>> > Code:       Access-Request
> >> >>> > Identifier: UNDEF
> >> >>> > Authentic:  N<244>d]<242><195><216><219>X<176><253>
> >> >>> > <19><127><137><183>
> >> >>> > Attributes:
> >> >>> >        NAS-IP-Address = 10.1.3.1
> >> >>> >        NAS-Port-Id = "tty18"
> >> >>> >        Calling-Station-Id = "10.2.5.2"
> >> >>> >        Service-Type = Login-User
> >> >>> >        AuthType = tacacs
> >> >>> >        User-Name = "markus"
> >> >>> >        User-Password = XXX
> >> >>> >        DeviceType = generic
> >> >>> >        DeviceGroup = global
> >> >>> >
> >> >>> >
> >> >>> > Regards
> >> >>> > Markus
> >> >>> >
> >> >>> > ----- Original Message -----
> >> >>> > From: "Hugh Irvine" <hugh at open.com.au>
> >> >>> > To: "Markus Moeller" <huaraz at moeller.plus.com>
> >> >>> > Cc: <radiator at open.com.au>
> >> >>> > Sent: Thursday, January 15, 2009 1:06 AM
> >> >>> > Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password
> >> >>> > when using
> >> >>> > tacacs+ and trace 4, 5
> >> >>> >
> >> >>> >> Hello Markus -
> >> >>> >>
> >> >>> >> Can we first of all determine whether or not Radiator logs
> >> >>> >> cleartext
> >> >>> >> passwords?
> >> >>> >>
> >> >>> >> We don't think it does, but if we are wrong please correct us.
> >> >>> >>
> >> >>> >> Our reluctance has to do with the fact that a simple protocol
> >> >>> >> sniffer will show you exactly the same thing as is shown by
> >> >>> >> Radiator
> >> >>> >> - ie. obfuscated passwords.
> >> >>> >>
> >> >>> >> Our reluctance is also due to the fact that a debug is meant to
> >> >>> >> provide
> >> >>> >> all of the information needed to fix problems - and the  biggest
> >> >>> >> problem
> >> >>> >> tends to be with passwords.
> >> >>> >>
> >> >>> >> If you can show us that Radiator is logging cleartext passwords
> >> >>> >> we will
> >> >>> >> look at fixing it.
> >> >>> >>
> >> >>> >> If Radiator is logging the same packet data as shown by a
> >> >>> >> sniffer, then
> >> >>> >> we probably won't change anything.
> >> >>> >>
> >> >>> >> regards
> >> >>> >>
> >> >>> >> Hugh
> >> >>> >>
> >> >>> >> On 15 Jan 2009, at 08:38, Markus Moeller wrote:
> >> >>> >>> Sorry to be persistent, but I don't understand your
> >> >>> >>> unwillingness to hide the password during trace. Let me try to
> >> >>> >>> explain again why
> >> >>> >>> I need
> >> >>> >>> it.
> >> >>> >>>
> >> >>> >>> We want to use Radiator as main  Radius and Tacacs
> >> >>> >>> authentication server which forwards the requests to our central
> >> >>> >>> Active Directory
> >> >>> >>> for
> >> >>> >>> password verification.  The server will be maintained by an
> >> >>> >>> operations
> >> >>> >>> team of several people, who from time to time need to add
> >> >>> >>> devices
> >> >>> >>> and
> >> >>> >>> troubleshoot issues. They are not always skilled enough  to know
> >> >>> >>> what
> >> >>> >>> trace level to use (e.g. 3,4 or higher (usually  highest is best
> >> >>> >>> for them)), so they would see during troubleshooting  user
> >> >>> >>> passwords which
> >> >>> >>> possibly go into log files. Our internal audit  would not accept
> >> >>> >>> such a
> >> >>> >>> solution. They are saying "You don't leave  your cash openly on
> >> >>> >>> your desk in the office. You will put it in the  drawer even if
> >> >>> >>> it
> >> >>> >>> is unlocked to avoid any temptation."  It is not  against
> >> >>> >>> malicious
> >> >>> >>> users
> >> >>> >>> as we know there are always ways to get  around for privileged
> >> >>> >>> users,
> >> >>> >>> but they have to actively break rules  to get to passwords.
> >> >>> >>>
> >> >>> >>> A custom solution is also not acceptable as any patch need to be
> >> >>> >>> verified against the changes etc....
> >> >>> >>>
> >> >>> >>> Could you reconsider your answer ?
> >> >>> >>>
> >> >>> >>> Thank you
> >> >>> >>> Markus
> >> >>> >>>
> >> >>> >>> ----- Original Message ----- From: "Hugh Irvine"
> >> >>> >>> <hugh at open.com.au>
> >> >>> >>> To: "Markus Moeller" <huaraz at moeller.plus.com>
> >> >>> >>> Cc: <radiator at open.com.au>
> >> >>> >>> Sent: Wednesday, January 14, 2009 7:02 AM
> >> >>> >>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password
> >> >>> >>> when
> >> >>> >>> using tacacs+ and trace 4, 5
> >> >>> >>>
> >> >>> >>>> Hello Markus -
> >> >>> >>>>
> >> >>> >>>> All I can suggest is your own custom code.
> >> >>> >>>>
> >> >>> >>>> regards
> >> >>> >>>>
> >> >>> >>>> Hugh
> >> >>> >>>>
> >> >>> >>>> On 14 Jan 2009, at 10:57, Markus Moeller wrote:
> >> >>> >>>>> I still would like to see the password hidden during debug.
> >> >>> >>>>> What
> >> >>> >>>>> would convince you to include it ?
> >> >>> >>>>>
> >> >>> >>>>> Thank you
> >> >>> >>>>> Markus
> >> >>> >>>>>
> >> >>> >>>>> ----- Original Message ----- From: "Markus Moeller"
> >> >>> >>>>> <huaraz at moeller.plus.com
> >> >>> >>>>>
> >> >>> >>>>> To: "Bjoern A. Zeeb" <bz-lists at cksoft.de>
> >> >>> >>>>> Cc: <radiator at open.com.au>
> >> >>> >>>>> Sent: Monday, March 10, 2008 1:11 AM
> >> >>> >>>>> Subject: Re: (RADIATOR) Patch to hide user password when using
> >> >>> >>>>> tacacs + and trace 4,5
> >> >>> >>>>>
> >> >>> >>>>>>> On Sun, 9 Mar 2008, Markus Moeller wrote:
> >> >>> >>>>>>>
> >> >>> >>>>>>> Hi,
> >> >>> >>>>>>>
> >> >>> >>>>>>>> The User-Password attribute is encoded when Radius is used
> >> >>> >>>>>>>> and
> >> >>> >>>>>>>> the logging with trace 4 or 5 does not reveal the password.
> >> >>> >>>>>>>
> >> >>> >>>>>>> You mean the password is ot revealed because it is "mangled/
> >> >>> >>>>>>> obfucated"?
> >> >>> >>>>>>
> >> >>> >>>>>> Yes
> >> >>> >>>>>>
> >> >>> >>>>>>> You know the authenticator, you know the secret thus you
> >> >>> >>>>>>> know the
> >> >>> >>>>>>> plaintext password when looking at your tracelevel 4 logs.
> >> >>> >>>>>>
> >> >>> >>>>>> I also forward messages with syslog to a central syslog
> >> >>> >>>>>> server for
> >> >>> >>>>>> monitoring (although ususally not with trace 4,5 but can
> >> >>> >>>>>> happen
> >> >>> >>>>>> when debugging)
> >> >>> >>>>>>
> >> >>> >>>>>>> If you say, but if joe random on that machine sees the logs
> >> >>> >>>>>>> he
> >> >>> >>>>>>> doesn't
> >> >>> >>>>>>> know the secret, then it's a matter of the
> >> >>> >>>>>>> ownership/permissions of your logfiles as it would be of
> >> >>> >>>>>>> your radius configuration.
> >> >>> >>>>>>
> >> >>> >>>>>> I may have logfiles readable for operators but not the
> >> >>> >>>>>> clients file
> >> >>> >>>>>> with the secrects
> >> >>> >>>>>>
> >> >>> >>>>>>> A tracelevel > 3 is there for aiding in debugging and it's
> >> >>> >>>>>>> pretty
> >> >>> >>>>>>> obvious that you can get a lot of information that way to
> >> >>> >>>>>>> find
> >> >>> >>>>>>> a problem.  That's how the system is designed to work.
> >> >>> >>>>>>
> >> >>> >>>>>> True, but for example the radius code has also a section
> >> >>> >>>>>> commented
> >> >>> >>>>>> to not log the cleartext password.
> >> >>> >>>>>>
> >> >>> >>>>>>> just my 2cts.
> >> >>> >>>>>>
> >> >>> >>>>>> Thank you
> >> >>> >>>>>> Markus
> >> >>> >>>>>>
> >> >>> >>>>>>> --
> >> >>> >>>>>>> Dipl. Ing. (BA) Bjoern A. Zeeb          Research &
> >> >>> >>>>>>> Development
> >> >>> >>>>>>> CK Software GmbH                       
> >> >>> >>>>>>> http://www.cksoft.de/ Schwarzwaldstr. 31                    
> >> >>> >>>>>>>  Phone: +49 7452 889 135
> >> >>> >>>>>>> D-71131 Jettingen                       Fax: +49 7452 889
> >> >>> >>>>>>> 136 HRB245288, Amtsgericht Stuttgart       
> >> >>> >>>>>>> Geschaeftsfuehrer: Christian Kratzer
> >> >>> >>>>>>
> >> >>> >>>>>> --
> >> >>> >>>>>> Archive at http://www.open.com.au/archives/radiator/
> >> >>> >>>>>> Announcements on radiator-announce at open.com.au
> >> >>> >>>>>> To unsubscribe, email 'majordomo at open.com.au' with
> >> >>> >>>>>> 'unsubscribe radiator' in the body of the message.
> >> >>> >>>>>
> >> >>> >>>>> _______________________________________________
> >> >>> >>>>> radiator mailing list
> >> >>> >>>>> radiator at open.com.au
> >> >>> >>>>> http://www.open.com.au/mailman/listinfo/radiator
> >> >>> >>>>
> >> >>> >>>> NB:
> >> >>> >>>>
> >> >>> >>>> Have you read the reference manual ("doc/ref.html")?
> >> >>> >>>> Have you searched the mailing list archive
> >> >>> >>>> (www.open.com.au/archives/radiator)?
> >> >>> >>>> Have you had a quick look on Google (www.google.com)?
> >> >>> >>>> Have you included a copy of your configuration file (no
> >> >>> >>>> secrets),
> >> >>> >>>> together with a trace 4 debug showing what is happening?
> >> >>> >>>> Have you checked the RadiusExpert wiki:
> >> >>> >>>> http://www.open.com.au/wiki/index.php/Main_Page
> >> >>> >>>>
> >> >>> >>>> --
> >> >>> >>>> Radiator: the most portable, flexible and configurable RADIUS
> >> >>> >>>> server
> >> >>> >>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >> >>> >>>> Includes support for reliable RADIUS transport (RadSec),
> >> >>> >>>> and DIAMETER translation agent.
> >> >>> >>>> -
> >> >>> >>>> Nets: internetwork inventory and management - graphical,
> >> >>> >>>> extensible,
> >> >>> >>>> flexible with hardware, software, platform and database
> >> >>> >>>> independence.
> >> >>> >>>> -
> >> >>> >>>> CATool: Private Certificate Authority for Unix and Unix-like
> >> >>> >>>> systems.
> >> >>> >>
> >> >>> >> NB:
> >> >>> >>
> >> >>> >> Have you read the reference manual ("doc/ref.html")?
> >> >>> >> Have you searched the mailing list archive
> >> >>> >> (www.open.com.au/archives/radiator)?
> >> >>> >> Have you had a quick look on Google (www.google.com)?
> >> >>> >> Have you included a copy of your configuration file (no secrets),
> >> >>> >> together with a trace 4 debug showing what is happening?
> >> >>> >> Have you checked the RadiusExpert wiki:
> >> >>> >> http://www.open.com.au/wiki/index.php/Main_Page
> >> >>> >>
> >> >>> >> --
> >> >>> >> Radiator: the most portable, flexible and configurable RADIUS
> >> >>> >> server
> >> >>> >> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >> >>> >> Includes support for reliable RADIUS transport (RadSec),
> >> >>> >> and DIAMETER translation agent.
> >> >>> >> -
> >> >>> >> Nets: internetwork inventory and management - graphical,
> >> >>> >> extensible,
> >> >>> >> flexible with hardware, software, platform and database
> >> >>> >> independence. -
> >> >>> >> CATool: Private Certificate Authority for Unix and Unix-like
> >> >>> >> systems.
> >> >>> >
> >> >>> > _______________________________________________
> >> >>> > radiator mailing list
> >> >>> > radiator at open.com.au
> >> >>> > http://www.open.com.au/mailman/listinfo/radiator
> >> >>>
> >> >>> _______________________________________________
> >> >>> radiator mailing list
> >> >>> radiator at open.com.au
> >> >>> http://www.open.com.au/mailman/listinfo/radiator
> >> >>
> >> >> --
> >> >> Mike McCauley                               mikem at open.com.au
> >> >> Open System Consultants Pty. Ltd
> >> >> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> >> >> http://www.open.com.au Phone +61 7 5598-7474                      
> >> >> Fax +61 7 5598-7070
> >> >>
> >> >> Radiator: the most portable, flexible and configurable RADIUS server
> >> >> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> >> >> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
> >> >> TLS,
> >> >> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, DIAMETER etc. Full source
> >> >> on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> >> >
> >> > _______________________________________________
> >> > radiator mailing list
> >> > radiator at open.com.au
> >> > http://www.open.com.au/mailman/listinfo/radiator
> >
> > --
> > Mike McCauley                               mikem at open.com.au
> > Open System Consultants Pty. Ltd
> > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> > http://www.open.com.au
> > Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
> > on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.



-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.


More information about the radiator mailing list