Re: Penetration Test: TACACS

[Pawel Krawczyk <kravietz () aba krakow pl>]

On Thu, Jun 21, 2001 at 03:01:29PM -0700, Alan Olsen wrote:

> This is a bad thing.  Passwords should never be kept in clear text.
> The tacacs+ install I maintained a while back used the /etc/passwd file as
> a reference.
> They need to fix their configuration of tacacs. (Or move to a more current
> implemetation.)

For some authentication methods you can't store passwords as a hash,
especially for challenge-response protocols like CHAP. This is often
the case for NAS servers and you have choice of using PAP, which sends
the password in cleartext over serial line, or CHAP, which OTOH requires
you to store cleartext passwords on the authentication server.

This if course doesn't apply for administrative passwords to the network
equipment if they are expected to accept users over local network with
simple login/password authentication. With Cisco's freeware tac_plus server
you had a wide choice of authenticaion and password storage methods,
starting from simple plaintext, through passwd lookup, to locally stored
hashes.

In installations I administered some time ago we used system passwords
from passwd and PAP protocol, while the main argument was that it much
easier to compromise the server with shell accounts on it than to sniff
a modem conversation.