kinit sending clear text password
Will Fiveash
william.fiveash at sun.com
Wed Apr 21 14:40:47 EDT 2004
On Wed, Apr 21, 2004 at 08:58:39AM -0700, Mike Friedman wrote:
> On Wed Apr 21 05:59:17 2004, melissa_benkyo said:
>
> > I'm just using the kinit that comes from sun I'm not programming yet
> > by seeing I meant being able to see the typed in password when I
> > snooped or used ethereal.
> > r-xr-xr-x 1 root bin 15768 Sep 8 2003 /usr/bin/kinit
>
> Melissa,
>
> Are you sure that you're not running kinit on a machine to which you're
> first connected in a non-secure manner? You may be sniffing the password
> as it passes between your local workstation (where you typed it) and the
> machine on which you're actually executing kinit.
>
> Just a thought.
And a good one at that. Melissa, when snooping kinit traffic, limit it
to the client host and the kdc host. If you still see a clear-text
password, send me the snoop (use a test principal for which you don't
care if I see the password). And also send 'uname -a' output and the
path where you are getting kinit from.
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the Kerberos
mailing list