[tac_plus] tac_plus Logging Security concerns
'John Heasley'
heas at shrubbery.net
Wed Nov 19 05:48:26 UTC 2014
Fri, Oct 24, 2014 at 06:55:14AM +0200, Josten, Michael:
> Hello,
>
> i think i found the problem. I didn't create the /etc/default file and the daemon always started in debugging mode.
Hallo, That file is not part of tac_plus.
> At least in my world this makes sense ;) but what about the secret being shown in the logfile ? Is that a usual behavior ?
It is intended, if debugging is enabled, which is not the default. it is a
facet of debugging, to know what is actually passed from the device.
> Thanks for your help so far.
>
> Best regards
> Michael Josten
>
> -----Ursprüngliche Nachricht-----
> Von: John Heasley [mailto:heas at shrubbery.net]
> Gesendet: Donnerstag, 23. Oktober 2014 19:14
> An: Josten, Michael
> Cc: tac_plus at shrubbery.net
> Betreff: Re: [tac_plus] tac_plus Logging Security concerns
>
> Thu, Oct 23, 2014 at 07:57:12AM -0700, John Heasley:
> > Am Oct 23, 2014 um 2:55 AM schrieb Josten, Michael <Michael.Josten at hs-niederrhein.de>:
> > >
> > > Hello,
> > >
> > > i am worried about user input being logged to my tac_plus logfile. I
> > > recently compiled version F4.0.4.27a under debian 7.6 to implement
> > > PAM functionality. Everything is working good so far, but I took a
> > > very close look into my /var/log/tacacs/tacacs file after my
> > > colleague informed me about him being able to read his password in
> > > cleartext in the logging file. I did further troubleshooting on
> > > various switch models like HP procurves, Brocade icx, fcx and mlx switches and even stoneold Enterasys N Series dinosaur switches with aaa accounting settings, encryption settings etc. turned off and on. I started the tac_plus daemon with several debugging levels and no debugging at all and can't get rid of the password being shown in the logs.
> >
> > Grüßen, It should not log any of that information without enabling debugging. Before trying to disable this logging, did you have any debug options on the command-line?
> >
> > I can test this when I have a terminal in a few hours.
>
> I do not see this logging occuring by default, that is without -d options, on debian 7.7. Please ensure that you are not using -d (debug) options.
>
> > > Even the secret is show in cleartext. I posted a failed authentication part of the logfile on pastebin.
> > > http://pastebin.com/sffJkFJc just search for the term "bein" that's the part I am talking about.
> > >
> > > Best regards
> > > Michael Josten
> > > Mitarbeiter IT-Betrieb
> > > Hochschule Niederrhein
> > > KIS - Kommunikations und Informationssysteme Service Niederrhein
> > > University of Applied Sciences Communication and Informationsystems
> > > Service Reinarzstr. 49 D - 47805 Krefeld
> > > Telefon: +49 2151 822 3129
> > > Fax: +49 2151 822 853123
> > > Email:
> > > michael.josten at hs-niederrhein.de<mailto:michael.josten at hs-niederrhei
> > > n.de> www.hs-niederrhein.de<http://www.hs-niederrhein.de/>
> > >
> > > -------------- next part -------------- An HTML attachment was
> > > scrubbed...
> > > URL:
> > > <http://www.shrubbery.net/pipermail/tac_plus/attachments/20141023/5b
> > > 60da86/attachment.html>
> > > _______________________________________________
> > > tac_plus mailing list
> > > tac_plus at shrubbery.net
> > > http://www.shrubbery.net/mailman/listinfo/tac_plus
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo/tac_plus
More information about the tac_plus
mailing list