We're using tacacs for AAA on our network devices, and I'm interested/curious in how our devices are encrypting the passwords device side.
Following the Arista EOS manual, page 139, I'm running:
switch(config)#tacacs-server key 0 cv90jr1
The guide tells me that the corresponding encrypted string is 020512025B0C1D70
.
switch(config)#show running-config | grep tacacs
tacacs-server key 7 1306014B5B06167B
Seeing a different encrypted string than the one they mentioned got me curious. So I added the same key ten more times and took a look at the encrypted versions:
tacacs-server key 7 0110105D0B01145E
tacacs-server key 7 070C37151E030B54
tacacs-server key 7 020512025B0C1D70
tacacs-server key 7 1306014B5B06167B
tacacs-server key 7 020512025B0C1D70
tacacs-server key 7 020512025B0C1D70
tacacs-server key 7 0110105D0B01145E
tacacs-server key 7 110A0F5C4718195D
tacacs-server key 7 0007055F54511957
tacacs-server key 7 03074D525605331D
I couldn't find any information about this. I'm particularly interested in the fact that I collided the manual's key three times and have another separate collision in there. Whatever salting they do seems to not have a particularly large input domain.
So how does this does get encrypted? If an adversary were to obtain a device's configuration information (say.. the output of show running-config
), how easy/hard would it be to compute the true tacacs+ key?
Does Cisco IOS work the same way? I do not have a lab Cisco device to experiment with this on, but I'm under the impression that features which Arista didn't think needed to be different are identical between Arista and Cisco.