Bug 22051 - pam (and gdm) may log cleartext passwords
Summary: pam (and gdm) may log cleartext passwords
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pam   
(Show other bugs)
Version: 7.0
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Aaron Brown
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2000-12-11 11:00 UTC by John Haxby
Modified: 2007-04-18 16:30 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-12-11 14:05:28 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description John Haxby 2000-12-11 11:00:47 UTC
Normally, the authentication system goes to considerable lengths to avoid
keeping cleartext passwords stored on the system.  Traditionally, Unix has
used a one-way function so that even knowing the value stored in a password
or shadow password file is of no use.

Unfortunately, when you arrive at work an type your password to a screen
lock before the screen has warmed up and then it turns out to be a login
screen ...

Well, we all do it, everyone attempts to use their password instead of
their user name at some stage, and then pam_unix and gdm both obligingly
log the password as a failed user name.  If someone manages to get hold of
/var/log/messages then they have the password in clear, almost always
followed by the username for a successful log in.   It's not enough to say
that "/var/log/messages" is not normally readable because admins will
produce summaries from this file that include interesting lines and
*e-mail* it; also why the hell do we go to all the trouble of protecting
passwords with a one-way function or using kerberos or whatever if the
authentication system goes and stuffs them in clear in a log file which
most administrators would only consider a low grade security problem?

(A similar bug - 780 - was raised against RH5.2 and was closed because the
person that closed it didn't consider storing cleartext passwords on the
system a security risk even though the remainder of the security system
thought that it was :-)


Comment 1 Nalin Dahyabhai 2001-01-16 03:32:25 UTC
This becomes a per-module fix that touches not only PAM but other packages which
provide modules for its use.  We'll revisit this later on.

Note You need to log in before you can comment on or make changes to this bug.