Software Engineering Institute

Sun Microsystems released patches 112908-12 and 115168-03 to address issues in kerberos. There is a vulnerability in these patches that may result in user passwords being logged in clear text.

According to the Sun Security Alert:

This issue can occur on a Solaris system configured as a kerberos client with patch 112908-12 or 115168-03 installed and any service using pam_krb5 as an "auth" module. With the debug feature of pam_krb5 enabled, password authentication for the user will be logged in clear text at LOG_DEBUG level.

A local user with access to the log files could obtain another user's password.

Apply a patch
Sun has issued an advisory which addresses this issue. For more information on patches available for your system, please refer to Sun Security Alert: 57587.

Remove previous patch

Back out patch 112908-12 (SPARC platform) or 115168-03 (x86 platform).

Disable debug feature of pam_krb5

Search for any matching lines using the following command, and remove the "debug" entry from that line in the "/etc/pam.conf" (see pam.conf(4)) file:

$ egrep -e '[\\t ]*[^#].*pam_krb5.*debug' /etc/pam.conf

1. Remove or comment out entries in the "etc/syslog.conf" (see syslog.conf(4)) file that match output from the following command:


$ egrep -e '\*.debug|daemon.debug' /etc/syslog.conf

2. Send a SIGHUP to syslogd:


$ pkill -HUP syslog