[RADIATOR] (RADIATOR) Patch to hide user password when using tacacs+ and trace 4, 5

Mike McCauley mikem at open.com.au
Fri Oct 30 17:57:41 CDT 2009 

Hello Markus,

On Saturday 31 October 2009 07:00:21 am Markus Moeller wrote:
> It seems I overlooked another case where the password is logged in clear.
> Can this page be added ?

Thanks for the patch. It has been applied in the latest patch set.

Cheers.

>
> Thank you
> Markus
>
> --- Radius/ServerTACACSPLUS.pm  2009-10-26 22:23:52.000000000 +0000
> +++ Radius/ServerTACACSPLUS.pm.new      2009-10-30 13:48:14.000000000
> +0000
> @@ -650,7 +650,14 @@
>      my $user_msg  = substr($fields, $i, $user_msg_len); $i +=
> $user_msg_len;
>      my $data      = substr($fields, $i, $data_len);     $i += $data_len;
>
> -    $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection
> Authentication CONTINUE $flags, $user_msg, $data");
> +    if ($self->{last_status} ==
> $Radius::Tacacsplus::TAC_PLUS_AUTHEN_STATUS_GETPASS)
> +    {
> +       $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection
> Authentication CONTINUE $flags, **obscured**, $data");
> +    }
> +    else
> +    {
> +       $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection
> Authentication CONTINUE $flags, $user_msg, $data");
> +    }
>
>      if ($flags & $Radius::Tacacsplus::TAC_PLUS_CONTINUE_FLAG_ABORT)
>      {
>
>
>
>
>
>
>   ----- Original Message -----
>   From: Markus Moeller
>   To: radiator at open.com.au
>   Sent: Sunday, March 09, 2008 12:57 PM
>   Subject: (RADIATOR) Patch to hide user password when using tacacs+ and
> trace 4,5
>
>
>   The User-Password attribute is encoded when Radius is used and the
> logging with trace 4 or 5 does not reveal the password. But when Tacacs is
> used the password is in clear when creating the fake radius request. If  I
> understand the code right the User-Password attribute is not really used,
> only the DecodedPassword (please correct if that is wrong I couldn't check
> all cases), so the below path sets the User-Password to XXX when tacacs is
> used.
>
>   Also when logging Tacacs+ requests and replies the password is logged.
> The below patch should avoid that too.
>
>   Regards
>   Markus
>
>
>
>   --- ServerTACACSPLUS.pm Sun Mar  9 12:46:08 2008
>   +++ ServerTACACSPLUS.pm.new     Sun Mar  9 12:46:01 2008
>   @@ -475,7 +475,8 @@
>        {
>           # PAP login
>           $tp->add_attr('User-Name', $user);
>   -       $tp->add_attr('User-Password', $data);
>   +#      $tp->add_attr('User-Password', $data);
>   +       $tp->add_attr('User-Password', 'XXX');
>           $tp->{DecodedPassword} = $data;
>        }
>        elsif ($action == $Radius::Tacacsplus::TAC_PLUS_AUTHEN_LOGIN
>   @@ -615,8 +616,14 @@
>        my $user_msg  = substr($fields, $i, $user_msg_len); $i +=
> $user_msg_len; my $data      = substr($fields, $i, $data_len);     $i +=
> $data_len;
>
>   -    $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection
> Authentication CONTINUE $flags, $user_msg, $data"); -
>   +    if ($self->{last_status} ==
> $Radius::Tacacsplus::TAC_PLUS_AUTHEN_STATUS_GETPASS) +    {
>   +        $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection
> Authentication CONTINUE $flags, XXX, $data"); +    }
>   +    else
>   +    {
>   +        $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection
> Authentication CONTINUE $flags, $user_msg, $data"); +    }
>        if ($flags & $Radius::Tacacsplus::TAC_PLUS_CONTINUE_FLAG_ABORT)
>        {
>           $self->{parent}->log($main::LOG_WARN, "TacacsplusConnection
> Authentication CONTINUE aborted: $data"); @@ -644,7 +651,8 @@
>           # our replyFn will be called
>           my $tp = $self->create_radius_request('Access-Request');
>           $tp->add_attr('User-Name', $self->{user});
>   -       $tp->add_attr('User-Password', $self->{password});
>   +#      $tp->add_attr('User-Password', $self->{password});
>   +       $tp->add_attr('User-Password', 'XXX');
>           $tp->{DecodedPassword} = $self->{password};
>
>           # Recover the context and any radius State from a previous
> Access-Challenge



-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

More information about the radiator mailing list