[tac_plus] Full AAA logging / supported configuration
Sean
spedersen.lists at gmail.com
Mon Sep 12 22:03:49 UTC 2016
Then I misspoke. I thought the key was used for authentication; I didn’t realize it was also being used to encrypt the packets.
I’ve got a key configured and in use, but the password(s) were still being logged via `-d 256` in cleartext in /var/log/tac_plus.log when it was running with that level of debugging enabled.
On 9/12/16, 2:01 PM, "heasley" <heas at shrubbery.net> wrote:
Mon, Sep 12, 2016 at 01:49:13PM -0700, Sean:
> Speaking of debugs, and a little off-topic, but earlier when I had `-d 256` enabled to look at the output, I noticed the passwords being transmitted and logged in clear text. I know TACACS+ itself is not encrypted, but logging the passwords in clear text via tac_plus debugs seems like a bad idea. Anyone with the necessary permissions, including other sysadmins, can see your TACACS+ password just by bouncing the daemon and restarting it with the right debug level.
tacacs can be encrypted if you configure it to be.
anyway, -d is for debugging. it can be useful to log the data as it is
received, esp for low level debugging.
> Not sure if that’s intentional or if there’s a better way to protect it other than file permissions.
>
> On 9/12/16, 1:16 PM, "heasley" <heas at shrubbery.net> wrote:
>
> Mon, Sep 12, 2016 at 01:09:57PM -0700, Sean:
> > It’s tac_plus, it’s just ancient. I believe it had something to do with MAVIS as well.
> >
> > The system(s) I’m running v4 on are using PAM instead of the MAVIS module.
> >
> > So more or less just enable the right debug levels and route to syslog, expecting to find things in auth.log, etc.? With accounting being the exception. If so, I will look into getting rsyslogd to route the data correctly.
>
> it only uses 1 facility, whichever you specify in the config. otherwise,
> yes. tacacs is fairly quiet; leaving the auth/auth-failure to the clients.
> I'd be willing to add an option for tacacs to log these itself, at least
> for authentication.
>
>
>
More information about the tac_plus
mailing list