[RADIATOR] (RADIATOR) Patch to hide user password whenusingtacacs+ and trace 4, 5

Hugh Irvine hugh at open.com.au
Wed Jun 10 03:31:04 CDT 2009 

Hello Peter -

Trace levels 4 and 5 are designed for debug purposes, therefore the  
passwords are logged in cleartext.

In production you would typically use "Trace 3".

regards

Hugh


On 10 Jun 2009, at 01:11, Peter Havekes wrote:

> When using EAP-TTLS + PAP the cleartext passwords are also being  
> logged
> at trace level 5. Is this a feature or a bug?
>
> See example logging (xxxxxxx's are the password):
>
>
>
>
>
> Code: Access-Request
> Identifier: 151
> Authentic: <0><167>v<251>rtY<18>4<131><231>r?<208><8>M
> Attributes:
> NAS-Port-Id = "AP11/1"
> Calling-Station-Id = "00-02-78-DF-B5-E5"
> Called-Station-Id = "00-0B-0E-29-51-C2:eduroam"
> Service-Type = Framed-User
> User-Name = "anonymous at avans.nl"
> NAS-Port = 46947
> EAP-Message =
> < 
> 2 
> > 
> < 
> 9 
> > 
> < 
> 0 
> > 
> S 
> < 
> 21 
> > 
> < 
> 0><23><3><1><0>Hf<151><149><163><15><152><249><31><141><168><161>Uc3? 
> K<133><203><241>\V<195>=:<3>C<139>ik<245>#.<133><1
> NAS-Port-Type = 19
> NAS-IP-Address = 145.48.82.51
> NAS-Identifier = "Trapeze"
> Message-Authenticator =
> <149><175>Sq@<156><248><128>-<142><143><198><236><170><153><165>
>
> Tue Jun 9 10:51:49 2009: DEBUG: Handling request with Handler
> 'Called-Station-Id=/.*eduroam.*/,Realm=avans.nl,User-Name=/@/'
> Tue Jun 9 10:51:49 2009: DEBUG: Deleting session for anonymous at avans.nl 
> ,
> 145.48.82.51, 46947
> Tue Jun 9 10:51:49 2009: DEBUG: Handling with Radius::AuthFILE:
> Tue Jun 9 10:51:49 2009: DEBUG: Handling with EAP: code 2, 9, 83, 21
> Tue Jun 9 10:51:49 2009: DEBUG: Response type 21
> Tue Jun 9 10:51:49 2009: DEBUG: EAP TTLS data, 3, 9, 8
> Tue Jun 9 10:51:49 2009: DEBUG: TTLS Tunnelled Diameter Packet dump:
> Code: UNDEF
> Identifier: UNDEF
> Authentic: UNDEF
> Attributes:
> User-Name = "phavekes at avans.nl"
> User-Password = "xxxxxxxxxxxxxxxxx"
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Mike McCauley wrote:
>> Hello Markus,
>>
>> On Monday 08 June 2009 08:43:10 pm Markus Moeller wrote:
>>
>>> Hi Mike,
>>>
>>>   I can't see what has changed. Can you point me to which file has  
>>> changed
>>> please ?
>>>
>>
>> ServerTACACSPLUS.pm, about line 682.
>>
>> Cheers.
>>
>>
>>> Thank you
>>> Markus
>>> ----- Original Message -----
>>> From: "Mike McCauley" <mikem at open.com.au>
>>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>>> Cc: <radiator at open.com.au>
>>> Sent: Friday, June 05, 2009 11:26 PM
>>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password
>>> whenusingtacacs+ and trace 4, 5
>>>
>>>
>>>> Hello Markus,
>>>>
>>>> thanks for your note.
>>>> Our analysis shows that the fix required was different to the one  
>>>> you
>>>> sent.
>>>> However, we have made the appropriate fix, and it is now  
>>>> available in the
>>>> latest patch set.
>>>> We apologise for any inconvenience.
>>>>
>>>> Please let me know how you get on.
>>>> Cheers.
>>>>
>>>> On Saturday 06 June 2009 05:54:14 am Markus Moeller wrote:
>>>>
>>>>> Sorry it seems I overlooked another place where the TACACS  
>>>>> password is
>>>>> logged in clear.
>>>>>
>>>>> Would it be possible to change in line 573 in  
>>>>> ServerTACACSPLUS.pm  the
>>>>> following:
>>>>>
>>>>>    &main::log($main::LOG_DEBUG, "TACACSPLUS derived Radius request
>>>>> packet
>>>>> dump:\n" . $tp->dump)
>>>>>        if (&main::willLog($main::LOG_DEBUG, $self->{parent}));
>>>>>
>>>>> to (or similar):
>>>>>
>>>>>    my $dump = $tp->dump;
>>>>>    $dump =~ s/User-Password = .*\n/User-Password = XXX\n/g;
>>>>>    $dump =~ s/User-Password = .*$/User-Password = XXX/g;
>>>>>    &main::log($main::LOG_DEBUG, "TACACSPLUS derived Radius request
>>>>> packet
>>>>> dump:\n" . $dump)
>>>>>        if (&main::willLog($main::LOG_DEBUG, $self->{parent}));
>>>>>
>>>>> Thank you
>>>>> Markus
>>>>>
>>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "Markus Moeller" <huaraz at moeller.plus.com>
>>>>> To: "Mike McCauley" <mikem at open.com.au>; <radiator at open.com.au>
>>>>> Sent: Sunday, January 25, 2009 12:25 PM
>>>>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password
>>>>> whenusingtacacs+ and trace 4, 5
>>>>>
>>>>>
>>>>>> Thank you
>>>>>> Markus
>>>>>>
>>>>>> ----- Original Message -----
>>>>>> From: "Mike McCauley" <mikem at open.com.au>
>>>>>> To: <radiator at open.com.au>
>>>>>> Cc: "Markus Moeller" <huaraz at moeller.plus.com>
>>>>>> Sent: Saturday, January 24, 2009 11:37 PM
>>>>>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password  
>>>>>> when
>>>>>> usingtacacs+ and trace 4, 5
>>>>>>
>>>>>>
> <-CUT->
> ---------------------------------------------------------------------------
> Op deze e-mail zijn de volgende voorwaarden van toepassing:
> The following conditions apply to this e-mail:
> http://emaildisclaimer.avans.nl
> ---------------------------------------------------------------------------
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://server2/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list