Does KRB5_TRACE logging ever print sensitive info? (like passwords)
pratyush parimal
pratyush.parimal at gmail.com
Wed Jun 21 23:03:19 EDT 2017
Hi all,
I was wondering that in order to debug kerberos issues on a production
machine, would it be a good idea to enable trace logging via KRB5_TRACE,
for a small amount of time ?
I have experimented with kerberos trace logging in a test environment with
commands like kinit, kadmin, and other programmatic calls to GSSAPI and
never came across passwords or anything sensitive printed in the trace log.
It mainly showed me what TGT requests were being made and who was the
library sending requests to ( which is mainly what I wanted to know for
debugging purposes). But I wanted to know if it could potentially print
something sensitive that could lead to an account compromise or something
comparable.
Thanks,
Pratyush
More information about the Kerberos
mailing list