Security issue with pam-krb5 ?

Steve Langasek vorlon at
Wed Aug 27 15:47:16 EDT 2003

On Wed, Aug 27, 2003 at 03:37:24PM -0400, Brian Davidson wrote:
> On Wednesday, August 27, 2003, at 02:16 PM, Matthijs Mohlmann wrote:

> >Am i right when i say libpam-krb5 send's the password cleartext over 
> >the
> >network ?

> In a nutshell, yes.  The username & password is still sent across the 
> network to the daemon as if you weren't using libpam-krb5.  Instead of 
> checking the passwd file, libpam-krb5 attempts to obtain a TGT from 
> your KDC.  Successfully obtaining a TGT means you are authenticated.

libpam-krb5 does *not* send passwords across the network; it is the client
software that would be sending passwords across the network in the clear
if being used from a PAMified network server.  This is not a function of
libpam-krb5, but a function of PAM itself.  Any communication between
libpam-krb5 and the KDC is properly secured.

> If you use libpam-krb5 for telnet, then your username and password go 
> across in plaintext.  Same for ftp.  If you use ssh, then they are 
> encrypted.  Anything running over SSL should allow you to *relatively* 
> securely use libpam-krb5 for authentication.


> The downside is that a modified libpam-krb5 on a system could steal 
> passwords & stash them in a file.  "Pure" kerberos won't allow that to 
> happen, since hosts never receive the user's password.


Steve Langasek
postmodern programmer

More information about the Kerberos mailing list