tac_plus daemon from Shruberry Networks has a debug mode build in by default. With debugging it is meant to debug the communication between the NAS and the TACACS server. On default tac_plus daemon debugs to the syslog file. But it is possible to run the daemon in the foreground to see the debuging messages on just in time without tailing the syslog and grepping for certain files. This is my prefered debug mode. Below a list of possible debug modes in tac_plus
Value Meaning
8 authorization debugging
16 authentication debugging
32 password file processing debugging
64 accounting debugging
128 config file parsing & lookup
256 packet transmission/reception
512 encryption/decryption
1024 MD5 hash algorithm debugging
2048 very low level encryption/decryption
The example below shows a password processing debug session. The password has been hashed with SHA512 algorithm and a random salt. The password has been configured in the tac_plus.cfg file. Username is testuser and the password is cisco and this is displayed in cleartext if tac_plus is running in debug mode.
File tac_plus.cfg:
key = cisco
group = netadmin {
default service = permit
service = exec {
priv-lvl = 15
}
}
user = testuser {
member = netadmin
login = des $6$uwzsv9l.ctQXZ31r$QKioQ57M1AoGYjhHQSlk3jvfQ3GYA3JPB8pINz5FwmcB8Mq//Qt03mq26luU5Atg3MLbCysbXrN8KQU3SxH0N.
}
Here what is displayed during a debug session as seen on the tac_plus server:
tc@box:~$ sc_debug_tacplus.sh 32
Reading config
Version F4.0.4.28 Initialized 1
tac_plus server F4.0.4.28 starting
socket FD 4 AF 2
uid=0 euid=0 gid=0 egid=0 s=153057128
connect from 10.0.0.17 [10.0.0.17]
verify cisco $6$uwzsv9l.ctQXZ31r$QKioQ57M1AoGYjhHQSlk3jvfQ3GYA3JPB8pINz5FwmcB8Mq//Qt03mq26luU5Atg3MLbCysbXrN8KQU3SxH0N.
cisco encrypts to $6$uwzsv9l.ctQXZ31r$QKioQ57M1AoGYjhHQSlk3jvfQ3GYA3JPB8pINz5FwmcB8Mq//Qt03mq26luU5Atg3MLbCysbXrN8KQU3SxH0N.
Password is correct
Password has not expired <no expiry date set>
login query for 'testuser' port tty0 from 10.0.0.17 accepted
The tac_plus deamon has been started with a bash script and a argument here 32 which is the password file processing debug option for tac_plus. Here is the script
#!/bin/sh
sudo tac_plus -G -t -d $1 -C ~/tac_plus.cfg -B 10.255.254.2
This is running in tinycore linux on GNS3 appliance, and I have been wondering if it already has SHA512 but this works without any problems. So no need to use DES encrypted hashes.