[tac_plus] md5 and tac_plus

Mitch Raful (ITaaS) mitch.raful at dimensiondata.com
Wed Mar 15 14:30:38 UTC 2017


From this code it looks like they only obfuscate the number of bytes of the tacacs body that is the size of an md5 digest, ignoring any  bytes at the end whose total length is not equal to an md5 digest.

Modulo has to == 0

for (i=0; i<length; i++) {



j = i % MD5_LBLOCK;



void _tac_crypt(u_char *buf, const HDR *th) {



unsigned i, j, length = ntohl(th->datalength);






/* null operation if no encryption requested */



if((tac_secret != NULL) && (th->encryption & TAC_PLUS_UNENCRYPTED_FLAG) != TAC_PLUS_UNENCRYPTED_FLAG) {



u_char digest[MD5_LBLOCK];






for (i=0; i<length; i++) {



j = i % MD5_LBLOCK;






/* At the beginning of every block (16 bytes, i.e. the size



* of an MD5 digest), generate a new pad to XOR against.



* For the 2nd and all successive blocks, we prime it with



* the previous digest.



*/



if (j == 0)



_tac_md5_pad(th, digest, ((i > 0) ? digest : NULL));






buf[i] ^= digest[j];



}



} else {



TACSYSLOG(LOG_WARNING, "%s: using no TACACS+ encryption", __FUNCTION__);



}


} /* _tac_crypt */


Mitch Raful
Sr. Network Engineer
Dimension Data Cloud Business Unit
43490 Yukon Drive
Ashburn, VA 21047
Office: 703-724-8862
Cell:     804-363-0731


From: tac_plus <tac_plus-bounces at shrubbery.net> on behalf of Alan McKinnon <alan.mckinnon at gmail.com>
Date: Wednesday, March 15, 2017 at 5:18 AM
To: "tac_plus at shrubbery.net" <tac_plus at shrubbery.net>
Subject: Re: [tac_plus] md5 and tac_plus



On 15/03/2017 00:22, Mitch Raful (ITaaS) wrote:
> I cannot find a Python based tacacs client. I am attempting to write one on my own and can’t figure out the md5 data obfuscation. How does tac_plus handling that. Does it XOR an md5 hash, and add that hash to the session_id + key, version and sequence, and then again if needed?


Not quite, but you are on the right track.

There are 2 sources I can think of to fins the correct details:

- There's an unapproved RFC out there from Cisco that despite never
moving out of draft status, is still the way the tacacs protocol works.
Usage of the key is in there.

- read the tacacsplus code. I recall reading it once and the relevant
function was easy to find. don;t have a copy of sources handy to lok for
you though.

--
Alan McKinnon
alan.mckinnon at gmail.com

_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo/tac_plus



itevomcid
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20170315/56a0e282/attachment.html>


More information about the tac_plus mailing list