Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 22051 - pam (and gdm) may log cleartext passwords
pam (and gdm) may log cleartext passwords
Product: Red Hat Linux
Classification: Retired
Component: pam (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Aaron Brown
: Security
Depends On:
  Show dependency treegraph
Reported: 2000-12-11 06:00 EST by John Haxby
Modified: 2007-04-18 12:30 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-12-11 09:05:28 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description John Haxby 2000-12-11 06:00:47 EST
Normally, the authentication system goes to considerable lengths to avoid
keeping cleartext passwords stored on the system.  Traditionally, Unix has
used a one-way function so that even knowing the value stored in a password
or shadow password file is of no use.

Unfortunately, when you arrive at work an type your password to a screen
lock before the screen has warmed up and then it turns out to be a login
screen ...

Well, we all do it, everyone attempts to use their password instead of
their user name at some stage, and then pam_unix and gdm both obligingly
log the password as a failed user name.  If someone manages to get hold of
/var/log/messages then they have the password in clear, almost always
followed by the username for a successful log in.   It's not enough to say
that "/var/log/messages" is not normally readable because admins will
produce summaries from this file that include interesting lines and
*e-mail* it; also why the hell do we go to all the trouble of protecting
passwords with a one-way function or using kerberos or whatever if the
authentication system goes and stuffs them in clear in a log file which
most administrators would only consider a low grade security problem?

(A similar bug - 780 - was raised against RH5.2 and was closed because the
person that closed it didn't consider storing cleartext passwords on the
system a security risk even though the remainder of the security system
thought that it was :-)

Comment 1 Nalin Dahyabhai 2001-01-15 22:32:25 EST
This becomes a per-module fix that touches not only PAM but other packages which
provide modules for its use.  We'll revisit this later on.

Note You need to log in before you can comment on or make changes to this bug.