[tac_plus] Issue: Incomplete passwords being accepted

heasley heas at shrubbery.net
Wed Mar 4 08:48:37 UTC 2015


Mon, Mar 02, 2015 at 01:45:47PM -0600, Brandon Ewing:
> On Mon, Mar 02, 2015 at 10:17:19AM -0800, Matt Almgren wrote:
> > Alan, can you suggest a solution for this behavior (don¹t want to call it
> > a problem, as it seems to be a feature.)
> > 
> > SSH logins to our TACACS server don¹t seem to have this problem, so I
> > assume TACACS is calling this library some place during authentication
> > process?
> > 
> > Thanks, Matt
> > 
> 
> tac_plus is calling your system's crypt() function to compare the submitted
> password to the stored, correct hash, if you're storing them in your config
> file.  It uses the salt format of the stored hash to determine what hashing 
> algorithm was utilized to compute it.  See the man(3) page for crypt for 
> more information.

exactly.  a user provided patch for SHA512 with tac_pwd is included here:
ftp://ftp.shrubbery.net/pub/tacacs/tacacs-F4.0.4.29a.tar.gz
it needs an autoconf check for SHA512 support, so if you do not have it
in your crypt(), dont use this alpha ball.



More information about the tac_plus mailing list