kinit sending clear text password

Wyllys Ingersoll wyllys.ingersoll at sun.com
Wed Apr 21 11:49:48 EDT 2004


Douglas E. Engert wrote:

>Will Fiveash wrote:
>  
>
>>On Tue, Apr 20, 2004 at 01:09:53PM -0700, melissa_benkyo wrote:
>>    
>>
>>>hello folks,
>>>
>>>thanks for all the help. I wouldn't have make it here so far without
>>>your help. :) thanks. Now I'm trying to use pam api's instead but the
>>>thing is pam_krb5 seems to  be sending the password in clear text then
>>>I tried to use kinit <username> and I was shocked to see the password.
>>>(Am I a good hacker or what?) hehehe is it supposed to be like this?
>>>      
>>>
>>No.  First check the docs for using pam_krb5 and GSS-API on
>><http://docs.sun.com> and make sure your program isn't buggy.  If that
>>isn't the case try pkgchk to see if your binaries have been modified.
>>If that isn't the case, file a bug with Sun.
>>
>>BTW, how did you "see" the password?
>>    
>>
>
>As a side comment, the Sun pam_krb5 when passed the debug option writes 
>the password to syslog! This is not a good praticis even when testing. 
>  
>

I think that bug has been fixed recently, but I don't have the patchid
available right now.


Also, in response to the original posting - there is No Way the
password is passing over the wire in clear text if you are using
kinit.  It does pass over the wire when using PAM, but thats
a problem inherent with any pam module and the client/server
communicate over an unsecured transport, its not specific to
Kerberos or the SEAM implementation.

-Wyllys




More information about the Kerberos mailing list