[RADIATOR] (RADIATOR) Patch to hide user password whenusingtacacs+ and trace 4, 5

Peter Havekes p.havekes at avans.nl
Tue Jun 9 10:11:16 CDT 2009


When using EAP-TTLS + PAP the cleartext passwords are also being logged 
at trace level 5. Is this a feature or a bug?

See example logging (xxxxxxx's are the password):





Code: Access-Request
Identifier: 151
Authentic: <0><167>v<251>rtY<18>4<131><231>r?<208><8>M
Attributes:
NAS-Port-Id = "AP11/1"
Calling-Station-Id = "00-02-78-DF-B5-E5"
Called-Station-Id = "00-0B-0E-29-51-C2:eduroam"
Service-Type = Framed-User
User-Name = "anonymous at avans.nl"
NAS-Port = 46947
EAP-Message = 
<2><9><0>S<21><0><23><3><1><0>Hf<151><149><163><15><152><249><31><141><168><161>Uc3?K<133><203><241>\V<195>=:<3>C<139>ik<245>#.<133><1
NAS-Port-Type = 19
NAS-IP-Address = 145.48.82.51
NAS-Identifier = "Trapeze"
Message-Authenticator = 
<149><175>Sq@<156><248><128>-<142><143><198><236><170><153><165>

Tue Jun 9 10:51:49 2009: DEBUG: Handling request with Handler 
'Called-Station-Id=/.*eduroam.*/,Realm=avans.nl,User-Name=/@/'
Tue Jun 9 10:51:49 2009: DEBUG: Deleting session for anonymous at avans.nl, 
145.48.82.51, 46947
Tue Jun 9 10:51:49 2009: DEBUG: Handling with Radius::AuthFILE:
Tue Jun 9 10:51:49 2009: DEBUG: Handling with EAP: code 2, 9, 83, 21
Tue Jun 9 10:51:49 2009: DEBUG: Response type 21
Tue Jun 9 10:51:49 2009: DEBUG: EAP TTLS data, 3, 9, 8
Tue Jun 9 10:51:49 2009: DEBUG: TTLS Tunnelled Diameter Packet dump:
Code: UNDEF
Identifier: UNDEF
Authentic: UNDEF
Attributes:
User-Name = "phavekes at avans.nl"
User-Password = "xxxxxxxxxxxxxxxxx"



















Mike McCauley wrote:
> Hello Markus,
>
> On Monday 08 June 2009 08:43:10 pm Markus Moeller wrote:
>   
>> Hi Mike,
>>
>>    I can't see what has changed. Can you point me to which file has changed
>> please ?
>>     
>
> ServerTACACSPLUS.pm, about line 682.
>
> Cheers.
>
>   
>> Thank you
>> Markus
>> ----- Original Message -----
>> From: "Mike McCauley" <mikem at open.com.au>
>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>> Cc: <radiator at open.com.au>
>> Sent: Friday, June 05, 2009 11:26 PM
>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password
>> whenusingtacacs+ and trace 4, 5
>>
>>     
>>> Hello Markus,
>>>
>>> thanks for your note.
>>> Our analysis shows that the fix required was different to the one you
>>> sent.
>>> However, we have made the appropriate fix, and it is now available in the
>>> latest patch set.
>>> We apologise for any inconvenience.
>>>
>>> Please let me know how you get on.
>>> Cheers.
>>>
>>> On Saturday 06 June 2009 05:54:14 am Markus Moeller wrote:
>>>       
>>>> Sorry it seems I overlooked another place where the TACACS password is
>>>> logged in clear.
>>>>
>>>> Would it be possible to change in line 573 in ServerTACACSPLUS.pm  the
>>>> following:
>>>>
>>>>     &main::log($main::LOG_DEBUG, "TACACSPLUS derived Radius request
>>>> packet
>>>> dump:\n" . $tp->dump)
>>>>         if (&main::willLog($main::LOG_DEBUG, $self->{parent}));
>>>>
>>>> to (or similar):
>>>>
>>>>     my $dump = $tp->dump;
>>>>     $dump =~ s/User-Password = .*\n/User-Password = XXX\n/g;
>>>>     $dump =~ s/User-Password = .*$/User-Password = XXX/g;
>>>>     &main::log($main::LOG_DEBUG, "TACACSPLUS derived Radius request
>>>> packet
>>>> dump:\n" . $dump)
>>>>         if (&main::willLog($main::LOG_DEBUG, $self->{parent}));
>>>>
>>>> Thank you
>>>> Markus
>>>>
>>>>
>>>>
>>>> ----- Original Message -----
>>>> From: "Markus Moeller" <huaraz at moeller.plus.com>
>>>> To: "Mike McCauley" <mikem at open.com.au>; <radiator at open.com.au>
>>>> Sent: Sunday, January 25, 2009 12:25 PM
>>>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password
>>>> whenusingtacacs+ and trace 4, 5
>>>>
>>>>         
>>>>> Thank you
>>>>> Markus
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "Mike McCauley" <mikem at open.com.au>
>>>>> To: <radiator at open.com.au>
>>>>> Cc: "Markus Moeller" <huaraz at moeller.plus.com>
>>>>> Sent: Saturday, January 24, 2009 11:37 PM
>>>>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
>>>>> usingtacacs+ and trace 4, 5
>>>>>
>>>>>           
<-CUT->
--------------------------------------------------------------------------- 
Op deze e-mail zijn de volgende voorwaarden van toepassing: 
The following conditions apply to this e-mail: 
http://emaildisclaimer.avans.nl 
--------------------------------------------------------------------------- 


More information about the radiator mailing list