<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=us-ascii" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
When using EAP-TTLS + PAP the cleartext passwords are also being logged
at trace level 5. Is this a feature or a bug?<br>
<br>
See example logging (xxxxxxx's are the password):<br>
<br>
<br>
<br>
<br>
<br>
Code: Access-Request<br>
Identifier: 151<br>
Authentic:
<0><167>v<251>rtY<18>4<131><231>r?<208><8>M<br>
Attributes:<br>
NAS-Port-Id = "AP11/1"<br>
Calling-Station-Id = "00-02-78-DF-B5-E5"<br>
Called-Station-Id = "00-0B-0E-29-51-C2:eduroam"<br>
Service-Type = Framed-User<br>
User-Name = <a class="moz-txt-link-rfc2396E" href="mailto:anonymous@avans.nl">"anonymous@avans.nl"</a><br>
NAS-Port = 46947<br>
EAP-Message =
<2><9><0>S<21><0><23><3><1><0>Hf<151><149><163><15><152><249><31><141><168><161>Uc3?K<133><203><241>\V<195>=:<3>C<139>ik<245>#.<133><1<br>
NAS-Port-Type = 19<br>
NAS-IP-Address = 145.48.82.51<br>
NAS-Identifier = "Trapeze"<br>
Message-Authenticator =
<149><175>Sq@<156><248><128>-<142><143><198><236><170><153><165><br>
<br>
Tue Jun 9 10:51:49 2009: DEBUG: Handling request with Handler
'Called-Station-Id=/.*eduroam.*/,Realm=avans.nl,User-Name=/@/'<br>
Tue Jun 9 10:51:49 2009: DEBUG: Deleting session for
<a class="moz-txt-link-abbreviated" href="mailto:anonymous@avans.nl">anonymous@avans.nl</a>, 145.48.82.51, 46947<br>
Tue Jun 9 10:51:49 2009: DEBUG: Handling with Radius::AuthFILE: <br>
Tue Jun 9 10:51:49 2009: DEBUG: Handling with EAP: code 2, 9, 83, 21<br>
Tue Jun 9 10:51:49 2009: DEBUG: Response type 21<br>
Tue Jun 9 10:51:49 2009: DEBUG: EAP TTLS data, 3, 9, 8<br>
Tue Jun 9 10:51:49 2009: DEBUG: TTLS Tunnelled Diameter Packet dump:<br>
Code: UNDEF<br>
Identifier: UNDEF<br>
Authentic: UNDEF<br>
Attributes:<br>
User-Name = <a class="moz-txt-link-rfc2396E" href="mailto:phavekes@avans.nl">"phavekes@avans.nl"</a><br>
User-Password = "xxxxxxxxxxxxxxxxx"<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Mike McCauley wrote:
<blockquote cite="mid:200906082106.00449.mikem@open.com.au" type="cite">
<pre wrap="">Hello Markus,
On Monday 08 June 2009 08:43:10 pm Markus Moeller wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi Mike,
I can't see what has changed. Can you point me to which file has changed
please ?
</pre>
</blockquote>
<pre wrap=""><!---->
ServerTACACSPLUS.pm, about line 682.
Cheers.
</pre>
<blockquote type="cite">
<pre wrap="">Thank you
Markus
----- Original Message -----
From: "Mike McCauley" <a class="moz-txt-link-rfc2396E" href="mailto:mikem@open.com.au"><mikem@open.com.au></a>
To: "Markus Moeller" <a class="moz-txt-link-rfc2396E" href="mailto:huaraz@moeller.plus.com"><huaraz@moeller.plus.com></a>
Cc: <a class="moz-txt-link-rfc2396E" href="mailto:radiator@open.com.au"><radiator@open.com.au></a>
Sent: Friday, June 05, 2009 11:26 PM
Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password
whenusingtacacs+ and trace 4, 5
</pre>
<blockquote type="cite">
<pre wrap="">Hello Markus,
thanks for your note.
Our analysis shows that the fix required was different to the one you
sent.
However, we have made the appropriate fix, and it is now available in the
latest patch set.
We apologise for any inconvenience.
Please let me know how you get on.
Cheers.
On Saturday 06 June 2009 05:54:14 am Markus Moeller wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Sorry it seems I overlooked another place where the TACACS password is
logged in clear.
Would it be possible to change in line 573 in ServerTACACSPLUS.pm the
following:
&main::log($main::LOG_DEBUG, "TACACSPLUS derived Radius request
packet
dump:\n" . $tp->dump)
if (&main::willLog($main::LOG_DEBUG, $self->{parent}));
to (or similar):
my $dump = $tp->dump;
$dump =~ s/User-Password = .*\n/User-Password = XXX\n/g;
$dump =~ s/User-Password = .*$/User-Password = XXX/g;
&main::log($main::LOG_DEBUG, "TACACSPLUS derived Radius request
packet
dump:\n" . $dump)
if (&main::willLog($main::LOG_DEBUG, $self->{parent}));
Thank you
Markus
----- Original Message -----
From: "Markus Moeller" <a class="moz-txt-link-rfc2396E" href="mailto:huaraz@moeller.plus.com"><huaraz@moeller.plus.com></a>
To: "Mike McCauley" <a class="moz-txt-link-rfc2396E" href="mailto:mikem@open.com.au"><mikem@open.com.au></a>; <a class="moz-txt-link-rfc2396E" href="mailto:radiator@open.com.au"><radiator@open.com.au></a>
Sent: Sunday, January 25, 2009 12:25 PM
Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password
whenusingtacacs+ and trace 4, 5
</pre>
<blockquote type="cite">
<pre wrap="">Thank you
Markus
----- Original Message -----
From: "Mike McCauley" <a class="moz-txt-link-rfc2396E" href="mailto:mikem@open.com.au"><mikem@open.com.au></a>
To: <a class="moz-txt-link-rfc2396E" href="mailto:radiator@open.com.au"><radiator@open.com.au></a>
Cc: "Markus Moeller" <a class="moz-txt-link-rfc2396E" href="mailto:huaraz@moeller.plus.com"><huaraz@moeller.plus.com></a>
Sent: Saturday, January 24, 2009 11:37 PM
Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
usingtacacs+ and trace 4, 5
</pre>
<blockquote type="cite">
<pre wrap="">Hello Markus,
On Thursday 22 January 2009 07:34:43 am Markus Moeller wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Sorry, but what are your thoughts on this now ?
</pre>
</blockquote>
<pre wrap="">We have now made changes to Tacacs+ authentication so that the
plaintext
password is not logged, even at DEBUG level.
The change is now in the latesst patch set.
Thanks for your suggestion.
Cheers.
</pre>
<blockquote type="cite">
<pre wrap="">Thank you
Markus
----- Original Message -----
From: "Markus Moeller" <a class="moz-txt-link-rfc2396E" href="mailto:huaraz@moeller.plus.com"><huaraz@moeller.plus.com></a>
To: "Hugh Irvine" <a class="moz-txt-link-rfc2396E" href="mailto:hugh@open.com.au"><hugh@open.com.au></a>
Cc: <a class="moz-txt-link-rfc2396E" href="mailto:radiator@open.com.au"><radiator@open.com.au></a>
Sent: Thursday, January 15, 2009 8:30 PM
Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password when
usingtacacs+ and trace 4, 5
</pre>
<blockquote type="cite">
<pre wrap="">Hugh,
I am a bit surprised about your answer. One of the difference
between Tacacs+ and Radius is that Tacacs+ encrypts the whole
communication between the NAS device and the Tacacs server and
sends
all AV pairs in clear through the encrypted "tunnel" (The same way
as
EAP-TLS does), whereas Radius uses clear text communication with
an encrypted password
in the password AV pair. So when you dump the AV pairs for Tacacs+
(and
EAP-TLS) it is after decrypting the tunnel, so it is all visible.
When you dump the AV pairs with Radius you have still the
encrypted password.
Here is a trace 4 output, where XXX is the password.
Thu Jan 15 10:41:41 2009: DEBUG: TacacsplusConnection
Authentication
CONTINUE 0, markus,
Thu Jan 15 10:41:41 2009: DEBUG: TacacsplusConnection
Authentication
REPLY 5, 1, Password: ,
Thu Jan 15 10:41:43 2009: DEBUG: TacacsplusConnection request 192,
1,
5,
0, 3401247729, 14
Thu Jan 15 10:41:43 2009: DEBUG: TacacsplusConnection
Authentication
CONTINUE 0, XXX,
Thu Jan 15 10:41:43 2009: DEBUG: TACACSPLUS derived Radius request
packet
dump:
Code: Access-Request
Identifier: UNDEF
Authentic: N<244>d]<242><195><216><219>X<176><253>
<19><127><137><183>
Attributes:
NAS-IP-Address = 10.1.3.1
NAS-Port-Id = "tty18"
Calling-Station-Id = "10.2.5.2"
Service-Type = Login-User
AuthType = tacacs
User-Name = "markus"
User-Password = XXX
DeviceType = generic
DeviceGroup = global
Regards
Markus
----- Original Message -----
From: "Hugh Irvine" <a class="moz-txt-link-rfc2396E" href="mailto:hugh@open.com.au"><hugh@open.com.au></a>
To: "Markus Moeller" <a class="moz-txt-link-rfc2396E" href="mailto:huaraz@moeller.plus.com"><huaraz@moeller.plus.com></a>
Cc: <a class="moz-txt-link-rfc2396E" href="mailto:radiator@open.com.au"><radiator@open.com.au></a>
Sent: Thursday, January 15, 2009 1:06 AM
Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password
when using
tacacs+ and trace 4, 5
</pre>
<blockquote type="cite">
<pre wrap="">Hello Markus -
Can we first of all determine whether or not Radiator logs
cleartext
passwords?
We don't think it does, but if we are wrong please correct us.
Our reluctance has to do with the fact that a simple protocol
sniffer will show you exactly the same thing as is shown by
Radiator
- ie. obfuscated passwords.
Our reluctance is also due to the fact that a debug is meant to
provide
all of the information needed to fix problems - and the biggest
problem
tends to be with passwords.
If you can show us that Radiator is logging cleartext passwords
we will
look at fixing it.
If Radiator is logging the same packet data as shown by a
sniffer, then
we probably won't change anything.
regards
Hugh
On 15 Jan 2009, at 08:38, Markus Moeller wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Sorry to be persistent, but I don't understand your
unwillingness to hide the password during trace. Let me try to
explain again why
I need
it.
We want to use Radiator as main Radius and Tacacs
authentication server which forwards the requests to our central
Active Directory
for
password verification. The server will be maintained by an
operations
team of several people, who from time to time need to add
devices
and
troubleshoot issues. They are not always skilled enough to know
what
trace level to use (e.g. 3,4 or higher (usually highest is best
for them)), so they would see during troubleshooting user
passwords which
possibly go into log files. Our internal audit would not accept
such a
solution. They are saying "You don't leave your cash openly on
your desk in the office. You will put it in the drawer even if
it
is unlocked to avoid any temptation." It is not against
malicious
users
as we know there are always ways to get around for privileged
users,
but they have to actively break rules to get to passwords.
A custom solution is also not acceptable as any patch need to be
verified against the changes etc....
Could you reconsider your answer ?
Thank you
Markus
----- Original Message ----- From: "Hugh Irvine"
<a class="moz-txt-link-rfc2396E" href="mailto:hugh@open.com.au"><hugh@open.com.au></a>
To: "Markus Moeller" <a class="moz-txt-link-rfc2396E" href="mailto:huaraz@moeller.plus.com"><huaraz@moeller.plus.com></a>
Cc: <a class="moz-txt-link-rfc2396E" href="mailto:radiator@open.com.au"><radiator@open.com.au></a>
Sent: Wednesday, January 14, 2009 7:02 AM
Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password
when
using tacacs+ and trace 4, 5
</pre>
<blockquote type="cite">
<pre wrap="">Hello Markus -
All I can suggest is your own custom code.
regards
Hugh
On 14 Jan 2009, at 10:57, Markus Moeller wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I still would like to see the password hidden during debug.
What
would convince you to include it ?
Thank you
Markus
----- Original Message ----- From: "Markus Moeller"
<<a class="moz-txt-link-abbreviated" href="mailto:huaraz@moeller.plus.com">huaraz@moeller.plus.com</a>
To: "Bjoern A. Zeeb" <a class="moz-txt-link-rfc2396E" href="mailto:bz-lists@cksoft.de"><bz-lists@cksoft.de></a>
Cc: <a class="moz-txt-link-rfc2396E" href="mailto:radiator@open.com.au"><radiator@open.com.au></a>
Sent: Monday, March 10, 2008 1:11 AM
Subject: Re: (RADIATOR) Patch to hide user password when using
tacacs + and trace 4,5
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">On Sun, 9 Mar 2008, Markus Moeller wrote:
Hi,
</pre>
<blockquote type="cite">
<pre wrap="">The User-Password attribute is encoded when Radius is used
and
the logging with trace 4 or 5 does not reveal the password.
</pre>
</blockquote>
<pre wrap="">You mean the password is ot revealed because it is "mangled/
obfucated"?
</pre>
</blockquote>
<pre wrap="">Yes
</pre>
<blockquote type="cite">
<pre wrap="">You know the authenticator, you know the secret thus you
know the
plaintext password when looking at your tracelevel 4 logs.
</pre>
</blockquote>
<pre wrap="">I also forward messages with syslog to a central syslog
server for
monitoring (although ususally not with trace 4,5 but can
happen
when debugging)
</pre>
<blockquote type="cite">
<pre wrap="">If you say, but if joe random on that machine sees the logs
he
doesn't
know the secret, then it's a matter of the
ownership/permissions of your logfiles as it would be of
your radius configuration.
</pre>
</blockquote>
<pre wrap="">I may have logfiles readable for operators but not the
clients file
with the secrects
</pre>
<blockquote type="cite">
<pre wrap="">A tracelevel > 3 is there for aiding in debugging and it's
pretty
obvious that you can get a lot of information that way to
find
a problem. That's how the system is designed to work.
</pre>
</blockquote>
<pre wrap="">True, but for example the radius code has also a section
commented
to not log the cleartext password.
</pre>
<blockquote type="cite">
<pre wrap="">just my 2cts.
</pre>
</blockquote>
<pre wrap="">Thank you
Markus
</pre>
<blockquote type="cite">
<pre wrap="">--
Dipl. Ing. (BA) Bjoern A. Zeeb Research &
Development
CK Software GmbH
<a class="moz-txt-link-freetext" href="http://www.cksoft.de/">http://www.cksoft.de/</a> Schwarzwaldstr. 31
Phone: +49 7452 889 135
D-71131 Jettingen Fax: +49 7452 889
136 HRB245288, Amtsgericht Stuttgart
Geschaeftsfuehrer: Christian Kratzer
</pre>
</blockquote>
<pre wrap="">--
Archive at <a class="moz-txt-link-freetext" href="http://www.open.com.au/archives/radiator/">http://www.open.com.au/archives/radiator/</a>
Announcements on <a class="moz-txt-link-abbreviated" href="mailto:radiator-announce@open.com.au">radiator-announce@open.com.au</a>
To unsubscribe, email '<a class="moz-txt-link-abbreviated" href="mailto:majordomo@open.com.au">majordomo@open.com.au</a>' with
'unsubscribe radiator' in the body of the message.
</pre>
</blockquote>
<pre wrap="">_______________________________________________
radiator mailing list
<a class="moz-txt-link-abbreviated" href="mailto:radiator@open.com.au">radiator@open.com.au</a>
<a class="moz-txt-link-freetext" href="http://www.open.com.au/mailman/listinfo/radiator">http://www.open.com.au/mailman/listinfo/radiator</a>
</pre>
</blockquote>
<pre wrap="">NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(<a class="moz-txt-link-abbreviated" href="http://www.open.com.au/archives/radiator">www.open.com.au/archives/radiator</a>)?
Have you had a quick look on Google (<a class="moz-txt-link-abbreviated" href="http://www.google.com">www.google.com</a>)?
Have you included a copy of your configuration file (no
secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
<a class="moz-txt-link-freetext" href="http://www.open.com.au/wiki/index.php/Main_Page">http://www.open.com.au/wiki/index.php/Main_Page</a>
--
Radiator: the most portable, flexible and configurable RADIUS
server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical,
extensible,
flexible with hardware, software, platform and database
independence.
-
CATool: Private Certificate Authority for Unix and Unix-like
systems.
</pre>
</blockquote>
</blockquote>
<pre wrap="">NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(<a class="moz-txt-link-abbreviated" href="http://www.open.com.au/archives/radiator">www.open.com.au/archives/radiator</a>)?
Have you had a quick look on Google (<a class="moz-txt-link-abbreviated" href="http://www.google.com">www.google.com</a>)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
<a class="moz-txt-link-freetext" href="http://www.open.com.au/wiki/index.php/Main_Page">http://www.open.com.au/wiki/index.php/Main_Page</a>
--
Radiator: the most portable, flexible and configurable RADIUS
server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical,
extensible,
flexible with hardware, software, platform and database
independence. -
CATool: Private Certificate Authority for Unix and Unix-like
systems.
</pre>
</blockquote>
<pre wrap="">_______________________________________________
radiator mailing list
<a class="moz-txt-link-abbreviated" href="mailto:radiator@open.com.au">radiator@open.com.au</a>
<a class="moz-txt-link-freetext" href="http://www.open.com.au/mailman/listinfo/radiator">http://www.open.com.au/mailman/listinfo/radiator</a>
</pre>
</blockquote>
<pre wrap="">_______________________________________________
radiator mailing list
<a class="moz-txt-link-abbreviated" href="mailto:radiator@open.com.au">radiator@open.com.au</a>
<a class="moz-txt-link-freetext" href="http://www.open.com.au/mailman/listinfo/radiator">http://www.open.com.au/mailman/listinfo/radiator</a>
</pre>
</blockquote>
<pre wrap="">--
Mike McCauley <a class="moz-txt-link-abbreviated" href="mailto:mikem@open.com.au">mikem@open.com.au</a>
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia
<a class="moz-txt-link-freetext" href="http://www.open.com.au">http://www.open.com.au</a> Phone +61 7 5598-7474
Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, DIAMETER etc. Full source
on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
</pre>
</blockquote>
<pre wrap="">_______________________________________________
radiator mailing list
<a class="moz-txt-link-abbreviated" href="mailto:radiator@open.com.au">radiator@open.com.au</a>
<a class="moz-txt-link-freetext" href="http://www.open.com.au/mailman/listinfo/radiator">http://www.open.com.au/mailman/listinfo/radiator</a>
</pre>
</blockquote>
</blockquote>
<pre wrap="">--
Mike McCauley <a class="moz-txt-link-abbreviated" href="mailto:mikem@open.com.au">mikem@open.com.au</a>
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia
<a class="moz-txt-link-freetext" href="http://www.open.com.au">http://www.open.com.au</a>
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
</pre>
</blockquote>
</blockquote>
<pre wrap=""><!---->
</pre>
</blockquote>
<br>
</body>
</html>
<p>--------------------------------------------------------------------------- <br>
Op deze e-mail zijn de volgende voorwaarden van toepassing: <br>
The following conditions apply to this e-mail: <br>
<a href="http://emaildisclaimer.avans.nl">http://emaildisclaimer.avans.nl</a><br>
--------------------------------------------------------------------------- </p>