[tac_plus] Suggestion/feature-idea/whatever
Michael Reynolds
michael.reynolds at gmail.com
Sat Nov 22 09:45:21 UTC 2008
How about the ability to store passwords in a more secure format, such
as SHA1/2 or salted MD5? You can theoretically bastardize crypt() for
BF and SHA assuming your system supports it, but you're SOL otherwise.
That is, unless you toss in some strncmp's and custom crypt functions
before crypt(). I ask for this because cracking DES isn't a matter of
years or months. It's a matter of hours.
Another idea I had is context based command control. For example, what
if an admin wants a user to be able to modify 'ip access-list extended
bob' only to block based on source IP, but not modify any other access
list, nor add/remove other filters in bob? It would require
authorization and accounting to keep track of sessions and context,
but not impossible. An example:
context = "configuration terminal" {
default = deny
context = "ip access-list-extended 4" {
default = deny
cmd = deny {
permit "^ip host [0-9.]+ any$"
deny .*
}
end ^exit$
# makes the exit command permitted, and causes it toend the context
}
end ^exit$
# makes the exit command permitted, and causes it to endthe context
}
The only problem I can see, however, is when they issue a ctrl-z to
exit the context instead of the exit command. Without rewriting the
entire config system in a lex format (ie: bison), it'd be a PITA for
someone like myself to add this in.
More information about the tac_plus
mailing list