Note: This is an archival copy of Security Sun Alert 201568 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001174.1.
Article ID : 1001174.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-04-18
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Solaris 9 Patches 112908-12 and 115168-03 WITHDRAWN, May Cause Passwords to be Logged as Clear Text on Kerberos Clients



Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System

Bug Id
5004688

Date of Resolved Release
17-JUN-2004

Impact

This issue can occur on a Solaris system configured as a kerberos client with patch 112908-12 or 115168-03 installed and any service using pam_krb5 as an "auth" module. With the debug feature of pam_krb5 enabled, password authentication for the user will be logged in clear text at LOG_DEBUG level.

Patches 112908-12 and 115168-03 have been WITHDRAWN and are no longer available on SunSolve.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 9 with patch 112908-12 and without patch 112908-13

x86 Platform

  • Solaris 9 with patch 115168-03 and without patch 115168-04

Note: Solaris 7 and 8 are not affected by this issue.

This issue will only occur if ALL of the following are true:

A) The system is configured as a kerberos client, which can be determined by either output from the following command:

    $ /usr/bin/klist
klist: No credentials cache file found while setting cache flags
(ticket cache /tmp/krb5cc_xxxx)
    $ /usr/bin/klist
Ticket cache: /tmp/krb5cc_xxxx
Default principal: jon.doe@FOO.BAR
...

Note: In the output "Ticket cache: /tmp/krb5cc_xxxx", xxxx is the uid of the user running klist(1).

B) A service is using pam_krb5 as an "auth" module and the debug feature of pam_krb5 is enabled, which can be determined by any matching lines returned from the following command:

    $ egrep -e '[\\t ]*[^#].*pam_krb5.*debug' /etc/pam.conf 

C) Logging of LOG_DEBUG level messages is enabled, which can be determined by any matching lines returned from the following command:

    $ egrep -e '\*.debug|daemon.debug' /etc/syslog.conf

Symptoms

Messages are logged at LOG_DEBUG level in the following format:

    Feb 21 14:56:11 raptor dtlogin[14263]: [ID 151277 user.debug] PAM-KRB5(auth):
user ams8, pass xxxxx

Workaround

To work around the described issue, do one of the following:

A) Back out patch 112908-12 (SPARC platform) or 115168-03 (x86 platform)

OR

B) Disable the debug feature of pam_krb5. Search for any matching lines using the following command, and remove the "debug" entry from that line in the "/etc/pam.conf" (see pam.conf(4)) file:

    $ egrep -e '[\\t ]*[^#].*pam_krb5.*debug' /etc/pam.conf

OR

C) Disable logging of LOG_DEBUG level messages, which can be achieved by the following steps:

1. Remove or comment out entries in the "etc/syslog.conf" (see syslog.conf(4)) file that match output from the following command:

    $ egrep -e '\*.debug|daemon.debug' /etc/syslog.conf

2. Send a SIGHUP to syslogd:

    $ pkill -HUP syslog

Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 9 with patch 112908-16 or later

x86 Platform

  • Solaris 9 with patch 115168-04 or later

Note: Although this issue is shown to be resolved in patch release 112908-13 (see patch README), that patch revision has been obsoleted is no longer available for download. Please use 112908-16 or later.



Modification History
Date: 04-OCT-2004
  • Note added to Resolution section for patch 112908-16


























Attachments
This solution has no attachment