[tac_plus] Issue: Incomplete passwords being accepted

Brandon Ewing nicotine at warningg.com
Mon Mar 2 19:45:47 UTC 2015


On Mon, Mar 02, 2015 at 10:17:19AM -0800, Matt Almgren wrote:
> Alan, can you suggest a solution for this behavior (don¹t want to call it
> a problem, as it seems to be a feature.)
> 
> SSH logins to our TACACS server don¹t seem to have this problem, so I
> assume TACACS is calling this library some place during authentication
> process?
> 
> Thanks, Matt
> 

tac_plus is calling your system's crypt() function to compare the submitted
password to the stored, correct hash, if you're storing them in your config
file.  It uses the salt format of the stored hash to determine what hashing 
algorithm was utilized to compute it.  See the man(3) page for crypt for 
more information.

Long story short, if you store DES hashes in your config, it's an issue.
MD5 (hash starting with $1$) hashes are what I use in production today, but
newer systems probably also have access to SHA-256 and SHA-512 in their
crypt() implementation.

-- 
Brandon Ewing                                     (nicotine at warningg.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150302/9ddd97b2/attachment.sig>


More information about the tac_plus mailing list