Normally, the authentication system goes to considerable lengths to avoid
keeping cleartext passwords stored on the system. Traditionally, Unix has
used a one-way function so that even knowing the value stored in a password
or shadow password file is of no use.
Unfortunately, when you arrive at work an type your password to a screen
lock before the screen has warmed up and then it turns out to be a login
Well, we all do it, everyone attempts to use their password instead of
their user name at some stage, and then pam_unix and gdm both obligingly
log the password as a failed user name. If someone manages to get hold of
/var/log/messages then they have the password in clear, almost always
followed by the username for a successful log in. It's not enough to say
that "/var/log/messages" is not normally readable because admins will
produce summaries from this file that include interesting lines and
*e-mail* it; also why the hell do we go to all the trouble of protecting
passwords with a one-way function or using kerberos or whatever if the
authentication system goes and stuffs them in clear in a log file which
most administrators would only consider a low grade security problem?
(A similar bug - 780 - was raised against RH5.2 and was closed because the
person that closed it didn't consider storing cleartext passwords on the
system a security risk even though the remainder of the security system
thought that it was :-)
This becomes a per-module fix that touches not only PAM but other packages which
provide modules for its use. We'll revisit this later on.