Penetration Testing mailing list archives
Re: Penetration Test: TACACS
From: Pawel Krawczyk <kravietz () aba krakow pl>
Date: Sat, 23 Jun 2001 10:22:45 +0200
On Thu, Jun 21, 2001 at 03:01:29PM -0700, Alan Olsen wrote:
This is a bad thing. Passwords should never be kept in clear text. The tacacs+ install I maintained a while back used the /etc/passwd file as a reference. They need to fix their configuration of tacacs. (Or move to a more current implemetation.)
For some authentication methods you can't store passwords as a hash, especially for challenge-response protocols like CHAP. This is often the case for NAS servers and you have choice of using PAP, which sends the password in cleartext over serial line, or CHAP, which OTOH requires you to store cleartext passwords on the authentication server. This if course doesn't apply for administrative passwords to the network equipment if they are expected to accept users over local network with simple login/password authentication. With Cisco's freeware tac_plus server you had a wide choice of authenticaion and password storage methods, starting from simple plaintext, through passwd lookup, to locally stored hashes. In installations I administered some time ago we used system passwords from passwd and PAP protocol, while the main argument was that it much easier to compromise the server with shell accounts on it than to sniff a modem conversation.
Current thread:
- Penetration Test: TACACS padrino (Jun 21)
- Re: Penetration Test: TACACS Alan Olsen (Jun 22)
- Re: Penetration Test: TACACS Rob J Meijer (Jun 24)
- Re: Penetration Test: TACACS Pawel Krawczyk (Jun 24)
- RE: Penetration Test: TACACS Andrew van der Stock (Jun 22)
- Re: Penetration Test: TACACS Alan Olsen (Jun 22)