kinit sending clear text password

Ben Staffin staffin at uiuc.edu
Wed Apr 21 18:46:10 EDT 2004


* Douglas E. Engert <deengert at anl.gov> [2004-04-21 09:16] wibbled:
> Will Fiveash wrote:
> > On Tue, Apr 20, 2004 at 01:09:53PM -0700, melissa_benkyo wrote:
> > > thanks for all the help. I wouldn't have make it here so far without
> > > your help. :) thanks. Now I'm trying to use pam api's instead but the
> > > thing is pam_krb5 seems to  be sending the password in clear text then
> > > I tried to use kinit <username> and I was shocked to see the password.
> > > (Am I a good hacker or what?) hehehe is it supposed to be like this?
> > 
> > No.  First check the docs for using pam_krb5 and GSS-API on
> > <http://docs.sun.com> and make sure your program isn't buggy.  If that
> > isn't the case try pkgchk to see if your binaries have been modified.
> > If that isn't the case, file a bug with Sun.
> > 
> > BTW, how did you "see" the password?
> 
> As a side comment, the Sun pam_krb5 when passed the debug option writes 
> the password to syslog! This is not a good praticis even when testing. 

That was introduced with a recent patch I believe; I happened to catch
it the same day it happened, but I certainly did get surprised to see
passwords flying around in syslog!

I'll be pleased if it's been fixed now - I'll have to check that out.

-- 
/--
| Ben Staffin
  perpetual nerd  |
                --/


More information about the Kerberos mailing list