blog/ posts/ Debugging tac plus configuration
Save git repositories via IP or local path | posts | Screen sessions with names

tac_plus daemon from Shruberry Networks has a debug mode build in by default. With debugging it is meant to debug the communication between the NAS and the TACACS server. On default tac_plus daemon debugs to the syslog file. But it is possible to run the daemon in the foreground to see the debuging messages on just in time without tailing the syslog and grepping for certain files. This is my prefered debug mode. Below a list of possible debug modes in tac_plus

Value   Meaning 
8   authorization debugging 
16  authentication debugging 
32  password file processing debugging 
64  accounting debugging 
128     config file parsing & lookup 
256     packet transmission/reception 
512     encryption/decryption 
1024    MD5 hash algorithm debugging 
2048    very low level encryption/decryption

The example below shows a password processing debug session. The password has been hashed with SHA512 algorithm and a random salt. The password has been configured in the tac_plus.cfg file. Username is testuser and the password is cisco and this is displayed in cleartext if tac_plus is running in debug mode.

File tac_plus.cfg:

key = cisco 

group = netadmin {
        default service = permit
            service = exec {
                priv-lvl = 15
                }
}

user = testuser {
        member = netadmin
        login = des $6$uwzsv9l.ctQXZ31r$QKioQ57M1AoGYjhHQSlk3jvfQ3GYA3JPB8pINz5FwmcB8Mq//Qt03mq26luU5Atg3MLbCysbXrN8KQU3SxH0N.
}

Here what is displayed during a debug session as seen on the tac_plus server:

tc@box:~$ sc_debug_tacplus.sh 32
Reading config
Version F4.0.4.28 Initialized 1
tac_plus server F4.0.4.28 starting
socket FD 4 AF 2
uid=0 euid=0 gid=0 egid=0 s=153057128
connect from 10.0.0.17 [10.0.0.17]
verify cisco $6$uwzsv9l.ctQXZ31r$QKioQ57M1AoGYjhHQSlk3jvfQ3GYA3JPB8pINz5FwmcB8Mq//Qt03mq26luU5Atg3MLbCysbXrN8KQU3SxH0N.
cisco encrypts to $6$uwzsv9l.ctQXZ31r$QKioQ57M1AoGYjhHQSlk3jvfQ3GYA3JPB8pINz5FwmcB8Mq//Qt03mq26luU5Atg3MLbCysbXrN8KQU3SxH0N.
Password is correct
Password has not expired <no expiry date set>
login query for 'testuser' port tty0 from 10.0.0.17 accepted

The tac_plus deamon has been started with a bash script and a argument here 32 which is the password file processing debug option for tac_plus. Here is the script 

#!/bin/sh
sudo tac_plus -G -t -d $1 -C ~/tac_plus.cfg -B 10.255.254.2

This is running in tinycore linux on GNS3 appliance, and I have been wondering if it already has SHA512 but this works without any problems. So no need to use DES encrypted hashes.