[tac_plus] Issue: Incomplete passwords being accepted
heasley
heas at shrubbery.net
Wed Mar 4 08:48:37 UTC 2015
Mon, Mar 02, 2015 at 01:45:47PM -0600, Brandon Ewing:
> On Mon, Mar 02, 2015 at 10:17:19AM -0800, Matt Almgren wrote:
> > Alan, can you suggest a solution for this behavior (don¹t want to call it
> > a problem, as it seems to be a feature.)
> >
> > SSH logins to our TACACS server don¹t seem to have this problem, so I
> > assume TACACS is calling this library some place during authentication
> > process?
> >
> > Thanks, Matt
> >
>
> tac_plus is calling your system's crypt() function to compare the submitted
> password to the stored, correct hash, if you're storing them in your config
> file. It uses the salt format of the stored hash to determine what hashing
> algorithm was utilized to compute it. See the man(3) page for crypt for
> more information.
exactly. a user provided patch for SHA512 with tac_pwd is included here:
ftp://ftp.shrubbery.net/pub/tacacs/tacacs-F4.0.4.29a.tar.gz
it needs an autoconf check for SHA512 support, so if you do not have it
in your crypt(), dont use this alpha ball.
More information about the tac_plus
mailing list