Closed BitEater closed 1 year ago
Hi,
tac_plus doen't perform encryption/decryption on zero-length keys, so key = "" is should still be an option. RFC8907 sets the key (or "shared secret") to mandatory, but I think I've only implemented that for tac_plus-ng.
The packet dump is triggered after decryption -- in your first example (no key defined) the router did send encrypted packets that the daemon couldn't decrypt, so the "unencrypted" flag was left as-is. In your second example (key "cisco") decryption did succeed and the flag was set.
Cheers,
Marc
Closing this after 5 days.
Hi Marc,
I inherited a lot of switches and routers without tacacs key and the tac_plus software should be updated to the current version.
The installed tac_plus server (Version 202104181633/DES) works with empty key = ""
The current (just cloned and compiled, Version "b5d4dada8a326f3e3a02690ad3cbd9fa67a0882b" ) does not.
When setting key in the config and on the device, everything seems to work.
The manual https://www.pro-bono-publico.de/projects/pdf/tac_plus.pdf states:
"The daemon will reject connections from hosts that have no encryption key defined." but also "During debugging, it may be convenient to temporarily switch off encryption by using an empty key:"
So i think it should function also with an empty key.
In the syslog, i find the following messages (for key = "")
When using key = cisco, all shown pakets have "flags: unencrypted" Shouldn't that be all encrypted since i am using a key ?
Device here is a Cisco router with IOS 15.9(3)M5 .
What is going wrong ?
Thanks for looking at this.