Does KRB5_TRACE logging ever print sensitive info? (like passwords)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Does KRB5_TRACE logging ever print sensitive info? (like passwords)

pratyush parimal
Hi all,

I was wondering that in order to debug kerberos issues on a production
machine, would it be a good idea to enable trace logging via KRB5_TRACE,
for a small amount of time ?

I have experimented with kerberos trace logging in a test environment with
commands like kinit, kadmin, and other programmatic calls to GSSAPI and
never came across passwords or anything sensitive printed in the trace log.
It mainly showed me what TGT requests were being made and who was the
library sending requests to ( which is mainly what I wanted to know for
debugging purposes). But I wanted to know if it could potentially print
something sensitive that could lead to an account compromise or something
comparable.

Thanks,
Pratyush
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Does KRB5_TRACE logging ever print sensitive info? (like passwords)

Greg Hudson
On 06/21/2017 11:03 PM, pratyush parimal wrote:
> I have experimented with kerberos trace logging in a test environment with
> commands like kinit, kadmin, and other programmatic calls to GSSAPI and
> never came across passwords or anything sensitive printed in the trace log.
> It mainly showed me what TGT requests were being made and who was the
> library sending requests to ( which is mainly what I wanted to know for
> debugging purposes). But I wanted to know if it could potentially print
> something sensitive that could lead to an account compromise or something
> comparable.

I don't believe we ever print passwords or full keys.  We sometimes
print a small (four bytes of hex) SHA-1 hash of a key that someone could
match against the trace output of a different process.

The material in a trace log might be considered sensitive by some
definitions (filenames, principal names, etc.), but to the best of my
knowledge it shouldn't lead directly to account compromise.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Loading...