Note: This is an archival copy of Security Sun Alert 201568 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001174.1. |
Category Security Release Phase Resolved Solaris 9 Operating System Bug Id 5004688 Date of Resolved Release 17-JUN-2004 Impact This issue can occur on a Solaris system configured as a kerberos client with patch 112908-12 or 115168-03 installed and any service using pam_krb5 as an "auth" module. With the debug feature of pam_krb5 enabled, password authentication for the user will be logged in clear text at LOG_DEBUG level. Patches 112908-12 and 115168-03 have been WITHDRAWN and are no longer available on SunSolve. Contributing Factors This issue can occur in the following releases: SPARC Platform
x86 Platform
Note: Solaris 7 and 8 are not affected by this issue. This issue will only occur if ALL of the following are true: A) The system is configured as a kerberos client, which can be determined by either output from the following command: $ /usr/bin/klist klist: No credentials cache file found while setting cache flags (ticket cache /tmp/krb5cc_xxxx) $ /usr/bin/klist Ticket cache: /tmp/krb5cc_xxxx Default principal: jon.doe@FOO.BAR ... Note: In the output "Ticket cache: /tmp/krb5cc_xxxx", xxxx is the uid of the user running klist(1). B) A service is using pam_krb5 as an "auth" module and the debug feature of pam_krb5 is enabled, which can be determined by any matching lines returned from the following command: $ egrep -e '[\\t ]*[^#].*pam_krb5.*debug' /etc/pam.conf C) Logging of LOG_DEBUG level messages is enabled, which can be determined by any matching lines returned from the following command: $ egrep -e '\*.debug|daemon.debug' /etc/syslog.conf Symptoms Messages are logged at LOG_DEBUG level in the following format: Feb 21 14:56:11 raptor dtlogin[14263]: [ID 151277 user.debug] PAM-KRB5(auth): user ams8, pass xxxxx Workaround To work around the described issue, do one of the following: A) Back out patch 112908-12 (SPARC platform) or 115168-03 (x86 platform) OR B) Disable the debug feature of pam_krb5. Search for any matching lines using the following command, and remove the "debug" entry from that line in the "/etc/pam.conf" (see pam.conf(4)) file: $ egrep -e '[\\t ]*[^#].*pam_krb5.*debug' /etc/pam.conf OR C) Disable logging of LOG_DEBUG level messages, which can be achieved by the following steps: 1. Remove or comment out entries in the "etc/syslog.conf" (see syslog.conf(4)) file that match output from the following command: $ egrep -e '\*.debug|daemon.debug' /etc/syslog.conf 2. Send a SIGHUP to syslogd: $ pkill -HUP syslog Resolution This issue is addressed in the following releases: SPARC Platform
x86 Platform
Note: Although this issue is shown to be resolved in patch release 112908-13 (see patch README), that patch revision has been obsoleted is no longer available for download. Please use 112908-16 or later. Modification History Date: 04-OCT-2004
Attachments This solution has no attachment |
|