At 11:21 23/12/97 -0800, Coaxial Karma wrote: >I recently discovered that when an ISP was using XTACACS server from >Vikas Aggarwal (vikasat_private) in a standalone mode, it was possible >to >make the XTACACS server crash by sending it different type of ICMP >messages. Nasty, but... This reinforces the recommendation in Vikas' documentation that xtacacsd be run out of inetd in persistent mode and not in standalone mode. Having login/logout control die will at best generate a flurry of support calls plus mess up time-based accounting or at worst, cost an ISP customers. Thankfully Tacacs based clients usually default to "no response = no access", so it only really becomes a security issue if a bogus tacacs server can be installed on the network _and_ the tacacs servers are configured to look at it. (Discounting forged udp tacacs responses). AB
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:37:26 PDT