[RADIATOR] (RADIATOR) Patch to hide user password when using tacacs+ and trace 4, 5
Markus Moeller
huaraz at moeller.plus.com
Fri Oct 30 16:00:21 CDT 2009
It seems I overlooked another case where the password is logged in clear. Can this page be added ?
Thank you
Markus
--- Radius/ServerTACACSPLUS.pm 2009-10-26 22:23:52.000000000 +0000
+++ Radius/ServerTACACSPLUS.pm.new 2009-10-30 13:48:14.000000000
+0000
@@ -650,7 +650,14 @@
my $user_msg = substr($fields, $i, $user_msg_len); $i +=
$user_msg_len;
my $data = substr($fields, $i, $data_len); $i += $data_len;
- $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection
Authentication CONTINUE $flags, $user_msg, $data");
+ if ($self->{last_status} ==
$Radius::Tacacsplus::TAC_PLUS_AUTHEN_STATUS_GETPASS)
+ {
+ $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection
Authentication CONTINUE $flags, **obscured**, $data");
+ }
+ else
+ {
+ $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection
Authentication CONTINUE $flags, $user_msg, $data");
+ }
if ($flags & $Radius::Tacacsplus::TAC_PLUS_CONTINUE_FLAG_ABORT)
{
----- Original Message -----
From: Markus Moeller
To: radiator at open.com.au
Sent: Sunday, March 09, 2008 12:57 PM
Subject: (RADIATOR) Patch to hide user password when using tacacs+ and trace 4,5
The User-Password attribute is encoded when Radius is used and the logging with trace 4 or 5 does not reveal the password. But when Tacacs is used the password is in clear when creating the fake radius request. If I understand the code right the User-Password attribute is not really used, only the DecodedPassword (please correct if that is wrong I couldn't check all cases), so the below path sets the User-Password to XXX when tacacs is used.
Also when logging Tacacs+ requests and replies the password is logged. The below patch should avoid that too.
Regards
Markus
--- ServerTACACSPLUS.pm Sun Mar 9 12:46:08 2008
+++ ServerTACACSPLUS.pm.new Sun Mar 9 12:46:01 2008
@@ -475,7 +475,8 @@
{
# PAP login
$tp->add_attr('User-Name', $user);
- $tp->add_attr('User-Password', $data);
+# $tp->add_attr('User-Password', $data);
+ $tp->add_attr('User-Password', 'XXX');
$tp->{DecodedPassword} = $data;
}
elsif ($action == $Radius::Tacacsplus::TAC_PLUS_AUTHEN_LOGIN
@@ -615,8 +616,14 @@
my $user_msg = substr($fields, $i, $user_msg_len); $i += $user_msg_len;
my $data = substr($fields, $i, $data_len); $i += $data_len;
- $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection Authentication CONTINUE $flags, $user_msg, $data");
-
+ if ($self->{last_status} == $Radius::Tacacsplus::TAC_PLUS_AUTHEN_STATUS_GETPASS)
+ {
+ $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection Authentication CONTINUE $flags, XXX, $data");
+ }
+ else
+ {
+ $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection Authentication CONTINUE $flags, $user_msg, $data");
+ }
if ($flags & $Radius::Tacacsplus::TAC_PLUS_CONTINUE_FLAG_ABORT)
{
$self->{parent}->log($main::LOG_WARN, "TacacsplusConnection Authentication CONTINUE aborted: $data");
@@ -644,7 +651,8 @@
# our replyFn will be called
my $tp = $self->create_radius_request('Access-Request');
$tp->add_attr('User-Name', $self->{user});
- $tp->add_attr('User-Password', $self->{password});
+# $tp->add_attr('User-Password', $self->{password});
+ $tp->add_attr('User-Password', 'XXX');
$tp->{DecodedPassword} = $self->{password};
# Recover the context and any radius State from a previous Access-Challenge
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20091030/1e3ac4d7/attachment.html
More information about the radiator
mailing list