kinit sending clear text password

Will Fiveash william.fiveash at sun.com
Wed Apr 21 14:40:47 EDT 2004


On Wed, Apr 21, 2004 at 08:58:39AM -0700, Mike Friedman wrote:
> On Wed Apr 21 05:59:17 2004, melissa_benkyo said:
> 
> > I'm just using the kinit that comes from sun I'm not programming yet
> > by seeing I meant being able to see the typed in password when I
> > snooped or used ethereal.
> > r-xr-xr-x   1 root     bin        15768 Sep  8  2003 /usr/bin/kinit
> 
> Melissa,
> 
> Are you sure that you're not running kinit on a machine to which you're
> first connected in a non-secure manner?  You may be sniffing the password
> as it passes between your local workstation (where you typed it) and the
> machine on which you're actually executing kinit.
> 
> Just a thought.

And a good one at that.  Melissa, when snooping kinit traffic, limit it
to the client host and the kdc host.  If you still see a clear-text
password, send me the snoop (use a test principal for which you don't
care if I see the password).  And also send 'uname -a' output and the
path where you are getting kinit from.

-- 
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)


More information about the Kerberos mailing list