TACACS+ passkey encryption

[nmoray-ebay]

Description

Configured TACACS+ passkey needs to be encrypted in running-config / config_db.json file for better security. Additionally, configured passkey should not be visible in the show output.

Steps to reproduce the issue:

1. Configure tacacs passkey string
2. Check the same in running config
3. Check the same in show tacacs CLI

Describe the results you received:

root@LEAF01:# config tacacs passkey TEST
root@LEAF01:# show run all | grep passkey
"passkey": "TEST" ----> [Visible in plain text format]
root@LEAF01:~# show tacacs
TACPLUS global auth_type pap (default)
TACPLUS global timeout 5 (default)
TACPLUS global passkey TEST. ----> [Visible in plain text format]

Describe the results you expected:

root@sonic:# config tacacs passkey TEST
root@sonic:# show run all | grep passkey
"passkey": "U2FsdGVkX1+59Ovn/BuZO8+v39F1FTIdl53aD3o9koo="
root@sonic:~# show tacacs
TACPLUS global auth_type pap (default)
TACPLUS global timeout 5 (default)
TACPLUS global passkey configured Yes

Output of show version:

admin@LEAF01:~$ show ver

SONiC Software Version: SONiC.202205.216163-e6fde1d9e
Distribution: Debian 11.6
Kernel: 5.10.0-18-2-amd64
Build commit: e6fde1d
Build date: Fri Feb 10 12:26:35 UTC 2023
Built by: AzDevOps@vmss-soni000GQU

Platform: x86_64-mlnx_msn2100-r0
HwSKU: ACS-MSN2100
ASIC: mellanox
ASIC Count: 1
Serial Number: MT1950X05002
Model Number: MSN2100-CB2FO
Hardware Revision: A2
Uptime: 20:20:06 up 16:20, 1 user, load average: 0.31, 0.30, 0.33
Date: Thu 16 Feb 2023 20:20:06

Docker images:
REPOSITORY TAG IMAGE ID SIZE
docker-syncd-mlnx 202205.216163-e6fde1d9e c795f76e1d73 903MB
docker-syncd-mlnx latest c795f76e1d73 903MB
docker-orchagent 202205.216163-e6fde1d9e d701431f2f00 519MB
docker-orchagent latest d701431f2f00 519MB
docker-fpm-frr 202205.216163-e6fde1d9e 3f86ce97f9ff 529MB
docker-fpm-frr latest 3f86ce97f9ff 529MB
docker-teamd 202205.216163-e6fde1d9e 96256f409620 500MB
docker-teamd latest 96256f409620 500MB
docker-macsec latest f3aad9927376 502MB
docker-platform-monitor 202205.216163-e6fde1d9e 1581c9b624da 908MB
docker-platform-monitor latest 1581c9b624da 908MB
docker-dhcp-relay latest 2afb5d283578 494MB
docker-sonic-telemetry 202205.216163-e6fde1d9e 9665adfde797 564MB
docker-sonic-telemetry latest 9665adfde797 564MB
docker-snmp 202205.216163-e6fde1d9e 29adf6411126 529MB
docker-snmp latest 29adf6411126 529MB
docker-lldp 202205.216163-e6fde1d9e ee0968fa56fa 526MB
docker-lldp latest ee0968fa56fa 526MB
docker-mux 202205.216163-e6fde1d9e 2f49afed8640 533MB
docker-mux latest 2f49afed8640 533MB
docker-database 202205.216163-e6fde1d9e 45d7b04cbdd2 484MB
docker-database latest 45d7b04cbdd2 484MB
docker-router-advertiser 202205.216163-e6fde1d9e 6c257b7bdd0b 484MB
docker-router-advertiser latest 6c257b7bdd0b 484MB
docker-nat 202205.216163-e6fde1d9e 3f50ea8cf328 471MB
docker-nat latest 3f50ea8cf328 471MB
docker-sflow 202205.216163-e6fde1d9e 2ddb73d297eb 469MB
docker-sflow latest 2ddb73d297eb 469MB
docker-sonic-mgmt-framework 202205.216163-e6fde1d9e 280c6d3efeae 598MB
docker-sonic-mgmt-framework latest 280c6d3efeae 598MB(paste your output here)

#### Output of `show techsupport`:
N/A
(paste your output here or download and attach the file here )

[judyjoseph]

This is a new feature request, There is no one working on this currently.

[nmoray-ebay]

@judyjoseph...I can help with the implementation. I have already done it for our customers.

[nmoray-ebay]

@madhupalu

[anders-nexthop]

It seems like there has been quite a bit of work on this issue:

TACACS+ Passkey Encryption
Add security_cipher module
Add TACACS+ Passkey Encryption
Add TACACS+ Passkey Decryption

The work seems to have stalled out. Can we push to get this reviewed/revised/merged? I came across the same issue for RADIUS, having a common solution would be helpful.