Security issue with pam-krb5 ?

Brian Davidson bdavids1 at
Wed Aug 27 16:15:36 EDT 2003

On Wednesday, August 27, 2003, at 03:47 PM, Steve Langasek wrote:

> On Wed, Aug 27, 2003 at 03:37:24PM -0400, Brian Davidson wrote:
>> On Wednesday, August 27, 2003, at 02:16 PM, Matthijs Mohlmann wrote:
>>> Am i right when i say libpam-krb5 send's the password cleartext over
>>> the
>>> network ?
>> In a nutshell, yes.  The username & password is still sent across the
>> network to the daemon as if you weren't using libpam-krb5.  Instead of
>> checking the passwd file, libpam-krb5 attempts to obtain a TGT from
>> your KDC.  Successfully obtaining a TGT means you are authenticated.
> libpam-krb5 does *not* send passwords across the network; it is the 
> client
> software that would be sending passwords across the network in the 
> clear
> if being used from a PAMified network server.  This is not a function 
> of
> libpam-krb5, but a function of PAM itself.  Any communication between
> libpam-krb5 and the KDC is properly secured.

Correct.  I should have read the initial question more carefully.  When 
you use libpam-krb5, the password is sent plain text, but it's not 
libpam-krb5 sending the plaintext...  I read it as "does the password 
get sent in plaintext?"


More information about the Kerberos mailing list