[RADIATOR] (RADIATOR) Patch to hide user password when using tacacs+ and trace 4, 5

Markus Moeller huaraz at moeller.plus.com
Fri Oct 30 16:00:21 CDT 2009


It seems I overlooked another case where the password is logged in clear. Can this page be added ?

Thank you
Markus

--- Radius/ServerTACACSPLUS.pm  2009-10-26 22:23:52.000000000 +0000
+++ Radius/ServerTACACSPLUS.pm.new      2009-10-30 13:48:14.000000000 
+0000
@@ -650,7 +650,14 @@
     my $user_msg  = substr($fields, $i, $user_msg_len); $i += 
$user_msg_len;
     my $data      = substr($fields, $i, $data_len);     $i += $data_len;

-    $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection 
Authentication CONTINUE $flags, $user_msg, $data");
+    if ($self->{last_status} == 
$Radius::Tacacsplus::TAC_PLUS_AUTHEN_STATUS_GETPASS)
+    {
+       $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection 
Authentication CONTINUE $flags, **obscured**, $data");
+    }
+    else
+    {
+       $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection 
Authentication CONTINUE $flags, $user_msg, $data");
+    }

     if ($flags & $Radius::Tacacsplus::TAC_PLUS_CONTINUE_FLAG_ABORT)
     {






  ----- Original Message ----- 
  From: Markus Moeller 
  To: radiator at open.com.au 
  Sent: Sunday, March 09, 2008 12:57 PM
  Subject: (RADIATOR) Patch to hide user password when using tacacs+ and trace 4,5


  The User-Password attribute is encoded when Radius is used and the logging with trace 4 or 5 does not reveal the password. But when Tacacs is used the password is in clear when creating the fake radius request. If  I understand the code right the User-Password attribute is not really used, only the DecodedPassword (please correct if that is wrong I couldn't check all cases), so the below path sets the User-Password to XXX when tacacs is used.

  Also when logging Tacacs+ requests and replies the password is logged. The below patch should avoid that too.

  Regards
  Markus



  --- ServerTACACSPLUS.pm Sun Mar  9 12:46:08 2008
  +++ ServerTACACSPLUS.pm.new     Sun Mar  9 12:46:01 2008
  @@ -475,7 +475,8 @@
       {
          # PAP login
          $tp->add_attr('User-Name', $user);
  -       $tp->add_attr('User-Password', $data);
  +#      $tp->add_attr('User-Password', $data);
  +       $tp->add_attr('User-Password', 'XXX');
          $tp->{DecodedPassword} = $data;
       }
       elsif ($action == $Radius::Tacacsplus::TAC_PLUS_AUTHEN_LOGIN
  @@ -615,8 +616,14 @@
       my $user_msg  = substr($fields, $i, $user_msg_len); $i += $user_msg_len;
       my $data      = substr($fields, $i, $data_len);     $i += $data_len;
       
  -    $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection Authentication CONTINUE $flags, $user_msg, $data");
  -
  +    if ($self->{last_status} == $Radius::Tacacsplus::TAC_PLUS_AUTHEN_STATUS_GETPASS)
  +    {
  +        $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection Authentication CONTINUE $flags, XXX, $data");
  +    }
  +    else
  +    {
  +        $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection Authentication CONTINUE $flags, $user_msg, $data");
  +    }
       if ($flags & $Radius::Tacacsplus::TAC_PLUS_CONTINUE_FLAG_ABORT)
       {
          $self->{parent}->log($main::LOG_WARN, "TacacsplusConnection Authentication CONTINUE aborted: $data");
  @@ -644,7 +651,8 @@
          # our replyFn will be called
          my $tp = $self->create_radius_request('Access-Request');
          $tp->add_attr('User-Name', $self->{user});
  -       $tp->add_attr('User-Password', $self->{password});
  +#      $tp->add_attr('User-Password', $self->{password});
  +       $tp->add_attr('User-Password', 'XXX');
          $tp->{DecodedPassword} = $self->{password};
   
          # Recover the context and any radius State from a previous Access-Challenge
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20091030/1e3ac4d7/attachment.html 


More information about the radiator mailing list