Normally, the authentication system goes to considerable lengths to avoid keeping cleartext passwords stored on the system. Traditionally, Unix has used a one-way function so that even knowing the value stored in a password or shadow password file is of no use. Unfortunately, when you arrive at work an type your password to a screen lock before the screen has warmed up and then it turns out to be a login screen ... Well, we all do it, everyone attempts to use their password instead of their user name at some stage, and then pam_unix and gdm both obligingly log the password as a failed user name. If someone manages to get hold of /var/log/messages then they have the password in clear, almost always followed by the username for a successful log in. It's not enough to say that "/var/log/messages" is not normally readable because admins will produce summaries from this file that include interesting lines and *e-mail* it; also why the hell do we go to all the trouble of protecting passwords with a one-way function or using kerberos or whatever if the authentication system goes and stuffs them in clear in a log file which most administrators would only consider a low grade security problem? (A similar bug - 780 - was raised against RH5.2 and was closed because the person that closed it didn't consider storing cleartext passwords on the system a security risk even though the remainder of the security system thought that it was :-) jch
This becomes a per-module fix that touches not only PAM but other packages which provide modules for its use. We'll revisit this later on.