On Thu, Jun 21, 2001 at 03:01:29PM -0700, Alan Olsen wrote: > This is a bad thing. Passwords should never be kept in clear text. > The tacacs+ install I maintained a while back used the /etc/passwd file as > a reference. > They need to fix their configuration of tacacs. (Or move to a more current > implemetation.) For some authentication methods you can't store passwords as a hash, especially for challenge-response protocols like CHAP. This is often the case for NAS servers and you have choice of using PAP, which sends the password in cleartext over serial line, or CHAP, which OTOH requires you to store cleartext passwords on the authentication server. This if course doesn't apply for administrative passwords to the network equipment if they are expected to accept users over local network with simple login/password authentication. With Cisco's freeware tac_plus server you had a wide choice of authenticaion and password storage methods, starting from simple plaintext, through passwd lookup, to locally stored hashes. In installations I administered some time ago we used system passwords from passwd and PAP protocol, while the main argument was that it much easier to compromise the server with shell accounts on it than to sniff a modem conversation.
This archive was generated by hypermail 2b30 : Sun Jun 24 2001 - 20:31:52 PDT