[28452] in North American Network Operators' Group
Re: ABOVE.NET SECURITY TRUTHS?
daemon@ATHENA.MIT.EDU (Philip Smith)
Sun Apr 30 19:56:29 2000
Message-Id: <4.2.2.20000501094235.00bceee0@lint.cisco.com>
Date: Mon, 01 May 2000 09:52:43 +1000
To: Hank Nussbacher <hank@att.net.il>
From: Philip Smith <pfs@cisco.com>
Cc: "Alec H. Peterson" <ahp@hilander.com>,
Paul Froutan <pfroutan@rackspace.com>, rmeyer@mhsc.com,
nanog@merit.edu
In-Reply-To: <390C44E4.1A25533@hilander.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
Hank,
As you pointed out to Barry Greene and myself previously, the "aaa
accounting" command as below will log commands typed in at "enable" level.
So, if you are changing the onboard router password, yes, you will see the
new password in your accounting logs, in clear text.
However, I don't consider it good practice to keep any critical passwords
on a router when an authentication mechanism such as TACACS+ is in place.
Also, if I was modifying the onboard enable secret (last resort password
when TACACS+ or Radius is configured) at any stage, I'd tftp-load the
configuration from a remote server, not ever type it in live.
We will explain this more clearly in the relevant section in the next
version of IOS Essentials. Thanks for all the feedback!
philip
--
At 08:36 30/04/00 -0600, Alec H. Peterson wrote:
>Hank Nussbacher wrote:
> >
> > TACACS encryption won't help if you follow the Cisco Essential IOS Features
> > (v 2.82 - Feb 18, 2000). On page 45 they discuss router command auditing
> > and recommend:
> >
> > aaa accounting command 15 start-stop tacacs+
> >
> > Unfortunately, this will log in your syslog the password commands in
> > cleartext. You would have to be sure that the Unix/NT system you are
> > logging all Cisco commands to is as secure as your router. How many of you
> > run ISS/Cybercop/Netrecon scans every week on your logging servers to be
> > sure they are secure?
>
>Hrm, that's odd, since I was using TACACS+ accounting a while ago (that
>exact command actually) and it never logged any passwords that I entered...
>
>Alec
>
>--
>Alec H. Peterson - ahp@hilander.com
>Staff Scientist
>CenterGate Research Group - http://www.centergate.com
>"Technology so advanced, even _we_ don't understand it!"
>
--------------------------------------------------------
Philip Smith ph: +61 7 3238 8200
Consulting Engineering, Office of the CTO, Cisco Systems
--------------------------------------------------------
