pam: don't leak TACACS+ secret to journald

If journald for syslog is used, the journal is going to store everything, even DEBUG loglevel messages. Pre-journald logging of system-wide DEBUG loglevel could be avoided and is not affected in all cases. With journald presence it's probably safe to no longer log sensitive details at DEBUG level. Fix #149 Signed-off-by: Daniel Gollub <dgollub@att.com>
kravietz · Jun 2, 2020 · 4a9852c · 4a9852c
1 parent e1f842c
commit 4a9852c
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/support.c b/support.c
@@ -374,8 +374,8 @@ int _pam_parse(int argc, const char **argv) {
         _pam_log(LOG_DEBUG, "%d servers defined", tac_srv_no);
 
         for (n = 0; n < tac_srv_no; n++) {
-            _pam_log(LOG_DEBUG, "server[%lu] { addr=%s, key='%s' }", n, tac_ntop(tac_srv[n].addr->ai_addr),
-                     tac_srv[n].key);
+            _pam_log(LOG_DEBUG, "server[%lu] { addr=%s, key='********' }", n,
+			    tac_ntop(tac_srv[n].addr->ai_addr));
         }
 
         _pam_log(LOG_DEBUG, "tac_service='%s'", tac_service);