empty key not working

Question

empty key not working

BitEater opened this issue a year ago · 2 comments

Hi Marc,

I inherited a lot of switches and routers without tacacs key and
the tac_plus software should be updated to the current version.

The installed tac_plus server (Version 202104181633/DES) works with empty key = ""

The current (just cloned and compiled,
Version "b5d4dada8a326f3e3a02690ad3cbd9fa67a0882b" ) does not.

When setting key in the config and on the device, everything seems to work.

The manual https://www.pro-bono-publico.de/projects/pdf/tac_plus.pdf states:

"The daemon will reject connections from hosts that have no encryption key defined."
but also
"During debugging, it may be convenient to temporarily switch off encryption by using an empty key:"

So i think it should function also with an empty key.

In the syslog, i find the following messages (for key = "")

2023-06-11T13:46:53.723240+00:00 vulcan tac_plus[9813]: 2/1245d3dd: 192.168.33.253 New session

2023-06-11T13:46:53.728074+00:00 vulcan tac_plus[9813]: 2/1245d3dd: 192.168.33.253 ---<start packet>---
2023-06-11T13:46:53.728176+00:00 vulcan tac_plus[9813]: 2/1245d3dd: 192.168.33.253 key used:
2023-06-11T13:46:53.728291+00:00 vulcan tac_plus[9813]: 2/1245d3dd: 192.168.33.253 version: 192, type: 1, seq no: 1, flags: encrypted
2023-06-11T13:46:53.728369+00:00 vulcan tac_plus[9813]: 2/1245d3dd: 192.168.33.253 session id: ddd34512, data length: 26
2023-06-11T13:46:53.728462+00:00 vulcan tac_plus[9813]: 2/1245d3dd: 192.168.33.253 Packet malformed, skipping detailed dump.
2023-06-11T13:46:53.728538+00:00 vulcan tac_plus[9813]: 2/1245d3dd: 192.168.33.253 ---<end packet>---

2023-06-11T13:46:53.728612+00:00 vulcan tac_plus[9813]: 2/1245d3dd: 192.168.33.253 Error 192.168.33.253 (null): Illegal packet (version=0xc0 type=0x01)
2023-06-11T13:46:53.728686+00:00 vulcan tac_plus[9813]: 192.168.33.253 Error 192.168.33.253 (null): Illegal packet (version=0xc0 type=0x01)
2023-06-11T13:46:53.728773+00:00 vulcan tac_plus[9813]: 2/1245d3dd: 192.168.33.253 Writing AUTHEN/ERROR size=57

2023-06-11T13:46:53.728873+00:00 vulcan tac_plus[9813]: 2/1245d3dd: 192.168.33.253 ---<start packet>---
2023-06-11T13:46:53.728943+00:00 vulcan tac_plus[9813]: 2/1245d3dd: 192.168.33.253 key used:
2023-06-11T13:46:53.729011+00:00 vulcan tac_plus[9813]: 2/1245d3dd: 192.168.33.253 version: 192, type: 1, seq no: 2, flags: unencrypted
2023-06-11T13:46:53.729085+00:00 vulcan tac_plus[9813]: 2/1245d3dd: 192.168.33.253 session id: ddd34512, data length: 45
2023-06-11T13:46:53.729158+00:00 vulcan tac_plus[9813]: 2/1245d3dd: 192.168.33.253 AUTHEN, status=7 (AUTHEN/ERROR) flags=0x0
2023-06-11T13:46:53.729272+00:00 vulcan tac_plus[9813]: 2/1245d3dd: 192.168.33.253 msg_len=39, data_len=0
2023-06-11T13:46:53.729330+00:00 vulcan tac_plus[9813]: 2/1245d3dd: 192.168.33.253 msg (len: 39): Illegal packet (version=0xc0 type=0x01)
2023-06-11T13:46:53.729382+00:00 vulcan tac_plus[9813]: 2/1245d3dd: 192.168.33.253 data (len: 0):
2023-06-11T13:46:53.729444+00:00 vulcan tac_plus[9813]: 2/1245d3dd: 192.168.33.253 ---<end packet>---

2023-06-11T13:46:58.721693+00:00 vulcan tac_plus[9813]: 3/dbc6187d: 192.168.33.253 New session

2023-06-11T13:46:58.721838+00:00 vulcan tac_plus[9813]: 3/dbc6187d: 192.168.33.253 ---<start packet>---
2023-06-11T13:46:58.721902+00:00 vulcan tac_plus[9813]: 3/dbc6187d: 192.168.33.253 key used:
2023-06-11T13:46:58.721968+00:00 vulcan tac_plus[9813]: 3/dbc6187d: 192.168.33.253 version: 192, type: 2, seq no: 1, flags: encrypted
2023-06-11T13:46:58.722025+00:00 vulcan tac_plus[9813]: 3/dbc6187d: 192.168.33.253 session id: 7d18c6db, data length: 47
2023-06-11T13:46:58.722083+00:00 vulcan tac_plus[9813]: 3/dbc6187d: 192.168.33.253 Packet malformed, skipping detailed dump.
2023-06-11T13:46:58.722147+00:00 vulcan tac_plus[9813]: 3/dbc6187d: 192.168.33.253 ---<end packet>---

2023-06-11T13:46:58.722205+00:00 vulcan tac_plus[9813]: 3/dbc6187d: 192.168.33.253 Writing AUTHOR/ERROR size=57

2023-06-11T13:46:58.722262+00:00 vulcan tac_plus[9813]: 3/dbc6187d: 192.168.33.253 ---<start packet>---
2023-06-11T13:46:58.722308+00:00 vulcan tac_plus[9813]: 3/dbc6187d: 192.168.33.253 key used:
2023-06-11T13:46:58.722354+00:00 vulcan tac_plus[9813]: 3/dbc6187d: 192.168.33.253 version: 192, type: 2, seq no: 2, flags: unencrypted
2023-06-11T13:46:58.722411+00:00 vulcan tac_plus[9813]: 3/dbc6187d: 192.168.33.253 session id: 7d18c6db, data length: 45
2023-06-11T13:46:58.722474+00:00 vulcan tac_plus[9813]: 3/dbc6187d: 192.168.33.253 AUTHOR/REPLY, status=17 (AUTHOR/ERROR)
2023-06-11T13:46:58.722555+00:00 vulcan tac_plus[9813]: 3/dbc6187d: 192.168.33.253 msg_len=39, data_len=0, arg_cnt=0
2023-06-11T13:46:58.722620+00:00 vulcan tac_plus[9813]: 3/dbc6187d: 192.168.33.253 msg (len: 39): Illegal packet (version=0xc0 type=0x02)
2023-06-11T13:46:58.722674+00:00 vulcan tac_plus[9813]: 3/dbc6187d: 192.168.33.253 data (len: 0):
2023-06-11T13:46:58.722743+00:00 vulcan tac_plus[9813]: 3/dbc6187d: 192.168.33.253 ---<end packet>---

When using key = cisco, all shown pakets have "flags: unencrypted"
Shouldn't that be all encrypted since i am using a key ?

2023-06-12T15:44:17.899457+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 New session

2023-06-12T15:44:17.904615+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 ---<start packet>---
2023-06-12T15:44:17.904738+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 key used: cisco
2023-06-12T15:44:17.904828+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 version: 192, type: 1, seq no: 1, flags: unencrypted
2023-06-12T15:44:17.904915+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 session id: 084e4b8d, data length: 26
2023-06-12T15:44:17.904995+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 AUTHEN/START, priv_lvl=1
2023-06-12T15:44:17.905081+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 action=login (1)
2023-06-12T15:44:17.905164+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 authen_type=ascii (1)
2023-06-12T15:44:17.905229+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 service=login (1)
2023-06-12T15:44:17.905285+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 user_len=0 port_len=5 rem_addr_len=13
2023-06-12T15:44:17.905340+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 data_len=0
2023-06-12T15:44:17.905410+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 user (len: 0):
2023-06-12T15:44:17.905478+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 port (len: 5): tty10
2023-06-12T15:44:17.905534+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 rem_addr (len: 13): 192.168.33.99
2023-06-12T15:44:17.905603+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 ---<end packet>---

2023-06-12T15:44:17.905667+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 authen: hdr->seq_no: 1
2023-06-12T15:44:17.905735+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 Writing AUTHEN/GETUSER size=55

2023-06-12T15:44:17.905937+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 ---<start packet>---
2023-06-12T15:44:17.906051+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 key used: cisco
2023-06-12T15:44:17.906159+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 version: 192, type: 1, seq no: 2, flags: unencrypted
2023-06-12T15:44:17.906286+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 session id: 084e4b8d, data length: 43
2023-06-12T15:44:17.906399+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 AUTHEN, status=4 (AUTHEN/GETUSER) flags=0x0
2023-06-12T15:44:17.906511+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 msg_len=37, data_len=0
2023-06-12T15:44:17.906623+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 msg (len: 37): \nUser Access Verification\n\nUsername:
2023-06-12T15:44:17.906753+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 data (len: 0):
2023-06-12T15:44:17.906875+00:00 vulcan tac_plus[9852]: 6/8d4b4e08: 192.168.33.253 ---<end packet>---

[...]

Device here is a Cisco router with IOS 15.9(3)M5 .

What is going wrong ?

Thanks for looking at this.

Answer 1 · 2023-06-13T06:08:18.000Z

Hi,

tac_plus doen't perform encryption/decryption on zero-length keys, so key = "" is should still be an option. RFC8907 sets the key (or "shared secret") to mandatory, but I think I've only implemented that for tac_plus-ng.

The packet dump is triggered after decryption -- in your first example (no key defined) the router did send encrypted packets that the daemon couldn't decrypt, so the "unencrypted" flag was left as-is. In your second example (key "cisco") decryption did succeed and the flag was set.

Cheers,

Marc

Answer 2 · 2023-06-18T16:36:32.000Z

Closing this after 5 days.