[tac_plus] Full AAA logging / supported configuration

[Alan McKinnon]

On 13/09/2016 15:22, Sean wrote:
> So the logging occurs once it’s been decrypted. Is there a way to always ensure sensitive data that can be logged during debug, such as the password of the end-user, is encrypted? Or at least omitted?
>
> I don’t like the idea that someone else with sudo / root can sniff someone else’s passwords in clear text. ☹

What's the point? If the user is root, they can make any user's password 
be anything they want it to be

Rule #1: the root user can always get around any security measure you 
put in place. Mostly because for root their ARE no security measures in 
place.

Why are you letting untrusted persons have root access anyway? Apart 
from generally being a bad idea, it also unticks all the check boxes so 
beloved of auditors.


>
> On 9/12/16, 4:41 PM, "heasley" <heas at shrubbery.net> wrote:
>
>     Mon, Sep 12, 2016 at 03:03:49PM -0700, Sean:
>     > Then I misspoke. I thought the key was used for authentication; I didn’t realize it was also being used to encrypt the packets.
>     >
>     > I’ve got a key configured and in use, but the password(s) were still being logged via `-d 256` in cleartext in /var/log/tac_plus.log when it was running with that level of debugging enabled.
>
>     only data on the wire in encrupted
>
>
>
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>