[tac_plus] Full AAA logging / supported configuration
Alan McKinnon
alan.mckinnon at gmail.com
Tue Sep 13 22:23:55 UTC 2016
On 13/09/2016 15:22, Sean wrote:
> So the logging occurs once it’s been decrypted. Is there a way to always ensure sensitive data that can be logged during debug, such as the password of the end-user, is encrypted? Or at least omitted?
>
> I don’t like the idea that someone else with sudo / root can sniff someone else’s passwords in clear text. ☹
What's the point? If the user is root, they can make any user's password
be anything they want it to be
Rule #1: the root user can always get around any security measure you
put in place. Mostly because for root their ARE no security measures in
place.
Why are you letting untrusted persons have root access anyway? Apart
from generally being a bad idea, it also unticks all the check boxes so
beloved of auditors.
>
> On 9/12/16, 4:41 PM, "heasley" <heas at shrubbery.net> wrote:
>
> Mon, Sep 12, 2016 at 03:03:49PM -0700, Sean:
> > Then I misspoke. I thought the key was used for authentication; I didn’t realize it was also being used to encrypt the packets.
> >
> > I’ve got a key configured and in use, but the password(s) were still being logged via `-d 256` in cleartext in /var/log/tac_plus.log when it was running with that level of debugging enabled.
>
> only data on the wire in encrupted
>
>
>
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>
More information about the tac_plus
mailing list