Does KRB5_TRACE logging ever print sensitive info? (like passwords)

Greg Hudson ghudson at
Thu Jun 22 01:00:36 EDT 2017

On 06/21/2017 11:03 PM, pratyush parimal wrote:
> I have experimented with kerberos trace logging in a test environment with
> commands like kinit, kadmin, and other programmatic calls to GSSAPI and
> never came across passwords or anything sensitive printed in the trace log.
> It mainly showed me what TGT requests were being made and who was the
> library sending requests to ( which is mainly what I wanted to know for
> debugging purposes). But I wanted to know if it could potentially print
> something sensitive that could lead to an account compromise or something
> comparable.

I don't believe we ever print passwords or full keys.  We sometimes
print a small (four bytes of hex) SHA-1 hash of a key that someone could
match against the trace output of a different process.

The material in a trace log might be considered sensitive by some
definitions (filenames, principal names, etc.), but to the best of my
knowledge it shouldn't lead directly to account compromise.

More information about the Kerberos mailing list