This is a bad thing. Passwords should never be kept in clear text. The tacacs+ install I maintained a while back used the /etc/passwd file as a reference. They need to fix their configuration of tacacs. (Or move to a more current implemetation.) On Thu, 21 Jun 2001 padrinoat_private wrote: > Greetings... > > Recently while performing a penetration test of a large client > I was able to gain access to the Solaris server that runs the > Cisco Tacacs Authentication Server... > > After perusing the system for a while I realized that the Java/JDBC > client program for administering the TACACS Database > read a config file that had the DB username/password in clear > text. Using a little experience with PERL ODBC I connected to > the Database server and grabbed the data from tables: > cs_user_profile, cs_password, cs_privilege. My client > used Clear as the password type. > > Is this normal? Seems to me like one of the core things you > try to protect on a WAN are Router passwords... Should Tacacs > allow you to store in password inside the database in cleartext? > > Don't know if this is something big or if I've merely had too much > coffee... Someone please let me know if I've been smoking too much > caffeine! > > Thanks in advance, > el padrino > > ........................................................................................................ > liquidmatrix.Org [ til i get my own website ] > ........................................................................................................ > Free, encrypted, secure Web-based email at www.hushmail.com alan@ctrl-alt-del.com | Note to AOL users: for a quick shortcut to reply Alan Olsen | to my mail, just hit the ctrl, alt and del keys. "All power is derived from the barrel of a gnu." - Mao Tse Stallman
This archive was generated by hypermail 2b30 : Fri Jun 22 2001 - 14:32:34 PDT