[tac_plus] Full AAA logging / supported configuration

Sean spedersen.lists at gmail.com
Mon Sep 12 20:49:13 UTC 2016


I have `-d 8 -d 16` running which by default log to /var/log/tac_plus.log; that works for me! I just needed the output of who is logging into what and where on top of the accounting information in /var/log/tac_plus.acct.

Speaking of debugs, and a little off-topic, but earlier when I had `-d 256` enabled to look at the output, I noticed the passwords being transmitted and logged in clear text. I know TACACS+ itself is not encrypted, but logging the passwords in clear text via tac_plus debugs seems like a bad idea. Anyone with the necessary permissions, including other sysadmins, can see your TACACS+ password just by bouncing the daemon and restarting it with the right debug level.

Not sure if that’s intentional or if there’s a better way to protect it other than file permissions.

On 9/12/16, 1:16 PM, "heasley" <heas at shrubbery.net> wrote:

    Mon, Sep 12, 2016 at 01:09:57PM -0700, Sean:
    > It’s tac_plus, it’s just ancient. I believe it had something to do with MAVIS as well.
    > 
    > The system(s) I’m running v4 on are using PAM instead of the MAVIS module.
    > 
    > So more or less just enable the right debug levels and route to syslog, expecting to find things in auth.log, etc.? With accounting being the exception. If so, I will look into getting rsyslogd to route the data correctly.
    
    it only uses 1 facility, whichever you specify in the config.  otherwise,
    yes.  tacacs is fairly quiet; leaving the auth/auth-failure to the clients.
    I'd be willing to add an option for tacacs to log these itself, at least
    for authentication.
    





More information about the tac_plus mailing list