On 06/21/2017 11:03 PM, pratyush parimal wrote: > I have experimented with kerberos trace logging in a test environment with > commands like kinit, kadmin, and other programmatic calls to GSSAPI and > never came across passwords or anything sensitive printed in the trace log. > It mainly showed me what TGT requests were being made and who was the > library sending requests to ( which is mainly what I wanted to know for > debugging purposes). But I wanted to know if it could potentially print > something sensitive that could lead to an account compromise or something > comparable.
I don't believe we ever print passwords or full keys. We sometimes print a small (four bytes of hex) SHA-1 hash of a key that someone could match against the trace output of a different process. The material in a trace log might be considered sensitive by some definitions (filenames, principal names, etc.), but to the best of my knowledge it shouldn't lead directly to account compromise. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
