Re: Crashing an XTACACS authentication server

Alan Brown (alan@MANAWATU.GEN.NZ)
Wed, 24 Dec 1997 15:39:39 +1300

At 11:21 23/12/97 -0800, Coaxial Karma wrote:

>I recently discovered that when an ISP was using XTACACS server from
>Vikas Aggarwal ( in a standalone mode, it was possible
>make the XTACACS server crash by sending it different type of ICMP

Nasty, but...

This reinforces the recommendation in Vikas' documentation that xtacacsd be
run out of inetd in persistent mode and not in standalone mode. Having
login/logout control die will at best generate a flurry of support calls
plus mess up time-based accounting or at worst, cost an ISP customers.

Thankfully Tacacs based clients usually default to "no response = no
access", so it only really becomes a security issue if a bogus tacacs
server can be installed on the network _and_ the tacacs servers are
configured to look at it. (Discounting forged udp tacacs responses).