kinit sending clear text password
Ben Staffin
staffin at uiuc.edu
Wed Apr 21 18:46:10 EDT 2004
* Douglas E. Engert <deengert at anl.gov> [2004-04-21 09:16] wibbled:
> Will Fiveash wrote:
> > On Tue, Apr 20, 2004 at 01:09:53PM -0700, melissa_benkyo wrote:
> > > thanks for all the help. I wouldn't have make it here so far without
> > > your help. :) thanks. Now I'm trying to use pam api's instead but the
> > > thing is pam_krb5 seems to be sending the password in clear text then
> > > I tried to use kinit <username> and I was shocked to see the password.
> > > (Am I a good hacker or what?) hehehe is it supposed to be like this?
> >
> > No. First check the docs for using pam_krb5 and GSS-API on
> > <http://docs.sun.com> and make sure your program isn't buggy. If that
> > isn't the case try pkgchk to see if your binaries have been modified.
> > If that isn't the case, file a bug with Sun.
> >
> > BTW, how did you "see" the password?
>
> As a side comment, the Sun pam_krb5 when passed the debug option writes
> the password to syslog! This is not a good praticis even when testing.
That was introduced with a recent patch I believe; I happened to catch
it the same day it happened, but I certainly did get surprised to see
passwords flying around in syslog!
I'll be pleased if it's been fixed now - I'll have to check that out.
--
/--
| Ben Staffin
perpetual nerd |
--/
More information about the Kerberos
mailing list