[38007] in Kerberos
Does KRB5_TRACE logging ever print sensitive info? (like passwords)
daemon@ATHENA.MIT.EDU (pratyush parimal)
Wed Jun 21 23:03:42 2017
MIME-Version: 1.0
From: pratyush parimal <pratyush.parimal@gmail.com>
Date: Wed, 21 Jun 2017 23:03:19 -0400
Message-ID: <CALvRNOHOqGr+--w4dgxkGmR9r+7raR3tysTYho06GYuk77r5AQ@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi all,
I was wondering that in order to debug kerberos issues on a production
machine, would it be a good idea to enable trace logging via KRB5_TRACE,
for a small amount of time ?
I have experimented with kerberos trace logging in a test environment with
commands like kinit, kadmin, and other programmatic calls to GSSAPI and
never came across passwords or anything sensitive printed in the trace log.
It mainly showed me what TGT requests were being made and who was the
library sending requests to ( which is mainly what I wanted to know for
debugging purposes). But I wanted to know if it could potentially print
something sensitive that could lead to an account compromise or something
comparable.
Thanks,
Pratyush
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
