[tac_plus] Full AAA logging / supported configuration

Sean spedersen.lists at gmail.com
Thu Sep 15 15:42:32 UTC 2016 

Sure, I have that turned off. Definitely. However, it goes back to my original point: if someone has root access to the system running tac_plus they can bounce the daemon and add `-d 256` without issue. I might give someone else on my team root access on these servers so they can administer them, but that doesn’t mean I want them to know their co-worker’s credentials, which are kept on a separate system. That’s assuming the least possibly damaging scenario. Clear text passwords should not show up anywhere; logs, debugging, etc. 

(Obviously doesn’t account for the key(s) used or if someone leaves plain-text passwords for users defined in tac_plus.conf.)

I like the idea of “official” logging options rather than relying on debugging to get them. 

On 9/14/16, 4:46 PM, "heasley" <heas at shrubbery.net> wrote:

    Tue, Sep 13, 2016 at 06:22:10AM -0700, Sean:
    > So the logging occurs once it’s been decrypted. Is there a way to always ensure sensitive data that can be logged during debug, such as the password of the end-user, is encrypted? Or at least omitted?
    
    dont use the debugging option? :)  Really, a better solution is probably to
    add an option that logs authentication success/failure, rather than enabling
    debugging or altering the debugging to operate differently.
    
    I have about 4 patches from various people that I need to review.  i'll look
    at such an option along with those...which honestly have been on my todo
    list for much too long.
    
    > I don’t like the idea that someone else with sudo / root can sniff someone else’s passwords in clear text. ☹ 
    > 
    > On 9/12/16, 4:41 PM, "heasley" <heas at shrubbery.net> wrote:
    > 
    >     Mon, Sep 12, 2016 at 03:03:49PM -0700, Sean:
    >     > Then I misspoke. I thought the key was used for authentication; I didn’t realize it was also being used to encrypt the packets. 
    >     > 
    >     > I’ve got a key configured and in use, but the password(s) were still being logged via `-d 256` in cleartext in /var/log/tac_plus.log when it was running with that level of debugging enabled.
    >     
    >     only data on the wire in encrupted
    >     
    > 
    >

More information about the tac_plus mailing list