[tac_plus] Issue: Incomplete passwords being accepted

Matt Almgren malmgren at skyfire.com
Mon Mar 2 19:15:00 UTC 2015 

Ah yes, I see the problem now.  I have a static DES password in the
tac_plus.cfg file, versus other operations people who use the local system
for authentication.

I’ve had other users test this out and only I seem to be affected. :)

Thanks, Matt




On 3/2/15, 10:58 AM, "Krux" <krux at thcnet.net> wrote:

>If you use PAM for tacacs auth, then it tire ties back to however you
>have configured PAM for tacacs.  You can also reference a passwd file.
>perl -e 's==UBER?=+y[:-o]}(;->\n{q-yp-y+k}?print:??;-p#)'
>
>On March 2, 2015 10:17:19 AM PST, Matt Almgren <malmgren at skyfire.com>
>wrote:
>>Alan, can you suggest a solution for this behavior (don¹t want to call
>>it
>>a problem, as it seems to be a feature.)
>>
>>SSH logins to our TACACS server don¹t seem to have this problem, so I
>>assume TACACS is calling this library some place during authentication
>>process?
>>
>>Thanks, Matt
>>
>>
>>
>>
>>
>>On 2/28/15, 10:01 AM, "Alan McKinnon" <alan.mckinnon at gmail.com> wrote:
>>
>>>On Sat, 28 Feb 2015 08:29:42 -0800
>>>Matt Almgren <malmgren at skyfire.com> wrote:
>>>
>>>> I never noticed this before, but I see the same 8-character problem
>>>> with version F4.0.4.27a  and CentOS 6.4.
>>>
>>>
>>>You will see it on all versions of tac_plus on all distros. The
>>>password encryption is done in the crypt() system call which is where
>>>DES is implemented.
>>>
>>>It's not a bug it's a feature, it's just the way DES works. One more
>>>reason why you should not use DES for password hashing, superior types
>>>exist.
>>>
>>>Alan
>>>_______________________________________________
>>>tac_plus mailing list
>>>tac_plus at shrubbery.net
>>>http://www.shrubbery.net/mailman/listinfo/tac_plus
>>
>>
>>This message is being sent by Skyfire Labs, Inc.  It is intended
>>exclusively for the individuals and entities to which it is addressed.
>>This communication, including any attachments, may contain information
>>that is proprietary, privileged, confidential, or otherwise subject to
>>restrictions on disclosure pursuant to applicable law.  If you are not
>>the named addressee, you are not authorized to read, print, retain copy
>>or disseminate this message or any part of it.  If you have received
>>this message in error, please notify the sender immediately by email
>>and delete all copies of this message.  This message is protected by
>>applicable legal privileges and is confidential.
>>_______________________________________________
>>tac_plus mailing list
>>tac_plus at shrubbery.net
>>http://www.shrubbery.net/mailman/listinfo/tac_plus
>
>


This message is being sent by Skyfire Labs, Inc.  It is intended exclusively for the individuals and entities to which it is addressed.  This communication, including any attachments, may contain information that is proprietary, privileged, confidential, or otherwise subject to restrictions on disclosure pursuant to applicable law.  If you are not the named addressee, you are not authorized to read, print, retain copy or disseminate this message or any part of it.  If you have received this message in error, please notify the sender immediately by email and delete all copies of this message.  This message is protected by applicable legal privileges and is confidential.

More information about the tac_plus mailing list