[tac_plus] cmd=connect

John Fraizer john at op-sec.us
Tue Apr 14 16:48:09 UTC 2015


I just figured out what you're seeing.

lab1-c2#en
lab1-c2#somepassword
Translating "somepassword"

% Bad IP address or host name
Translating "somepassword"
% Unknown command or computer name, or unable to find computer address
lab1-c2#


Produces this:

Apr 14 16:42:42 10.244.165.35 jfraizer tty1 192.168.56.1 start task_id=5
timezone=UTC service=shell
Apr 14 16:42:44 10.244.165.35 jfraizer tty1 192.168.56.1 stop task_id=5
timezone=UTC service=shell priv-lvl=0 cmd=enable <cr>
Apr 14 16:42:47 10.244.165.35 jfraizer tty1 192.168.56.1 stop task_id=6
timezone=UTC service=shell priv-lvl=1 cmd=connect somepassword <cr>


Here is the situation:  I've got my tac_plus (plus do_auth) configured to
give priv-lvl=15 on login.  So, me typing enable is NOT necessary for me to
get into enable mode.  I'm ALREADY there.  When I do so, it just drops me
back to a prompt (NOT a password prompt).  When the next thing I send is
"somepassword", the Cisco translates this to "connect somepassword".

I would venture to guess that you're giving priv-lvl=15 on login and that
you've got users who don't realize they're already enabled or that you've
got some script running that is hard coded to blindly send commands vs.
examining its current prompt to determine its priv-lvl.



--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/



On Tue, Apr 14, 2015 at 9:41 AM, John Fraizer <john at op-sec.us> wrote:

> Provide the entire accounting record rather than a description of it and
> we'll be able to help you more.  But, that is not what tac_plus would show
> when a user goes into enable.
>
> This is what it shows from an Arista:
>
> Apr 14 16:33:36 10.244.165.35 jfraizer ssh 192.168.56.1 stop task_id=21
> service=shell priv-lvl=1 start_time=1429029214 timezone=UTC cmd=enable
> <cr>
>
> And here is what it shows from a Cisco CSR1000v:
>
> Apr 14 16:34:43 10.244.165.36 jfraizer tty1 192.168.56.1 stop task_id=3
> timezone=UTC service=shell priv-lvl=1 cmd=enable <cr>
>
>
>
>
> --
> John Fraizer
> LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
>
>
>
> On Tue, Apr 14, 2015 at 9:28 AM, Munroe Sollog <mus3 at lehigh.edu> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I'm using tac_plus as an audit history for all users, and I'm noticing
>> that the accounting log is
>> logging:
>>
>> cmd=connect <enable password> <cr>
>>
>> I believe it is whenever someone types in 'enable' <cr> '<enable
>> password>'
>>
>> Does this make sense, and if so any advice on how to get tac_plus to not
>> save the password in the
>> audit log?
>>
>> for reference:
>> $ tac_plus -v
>> tac_plus version F4.0.4.27a
>> ACLS
>> FIONBIO
>> LIBWRAP
>> LINUX
>> LITTLE_ENDIAN
>> LOG_DAEMON
>> PAM
>> NO_PWAGE
>> REAPCHILD
>> RETSIGTYPE RETSIGTYPE
>> SHADOW_PASSWORDS
>> SIGTSTP
>> SIGTTIN
>> SIGTTOU
>> SO_REUSEADDR
>> STRERROR
>> TAC_PLUS_PORT
>> UENABLE
>> __STDC__
>>
>>
>>
>> Thanks.
>>
>> - --
>> Munroe Sollog
>> LTS - Network Analyst
>> x85002
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.12 (GNU/Linux)
>>
>> iQEcBAEBAgAGBQJVLUA5AAoJEPbbZiWCKDVCIcsH/0MMz1sYAQFY4FXMzLUrKa0E
>> IYJxEuM7QWkQ6wIfFhdf51xOBuepKytGK3JlWuGZaZMdENgEZj/bD4BNxS+4ukAj
>> fR8xuQSy6AooQLYgdcfJYd/g7udhVmrhBhCDCGQz3HCHKfJyp2V4XmCZPfMVy7EA
>> 7NMhfbPto7nPEkVtDqrjBShgXohrf0OtMXMbdWxljJ+W7P/+nEc4+vfRz/CSpd1a
>> PnHlwYLRaBIo921xB7I3SiPJqUPhI8i8s52HuzcmJacfT5TypQ9pY08X712QUztJ
>> zpsFsX2xS3tyWingWKhrqWMtuFpFIWwTeQ7mIOqqd5NTHDhL3DupC1jBOWp2vfA=
>> =FXGG
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> tac_plus mailing list
>> tac_plus at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150414/910e729b/attachment.html>


More information about the tac_plus mailing list