Skip to content
This repository was archived by the owner on Feb 28, 2024. It is now read-only.

Commit 4a9852c

Browse files
committed
pam: don't leak TACACS+ secret to journald
If journald for syslog is used, the journal is going to store everything, even DEBUG loglevel messages. Pre-journald logging of system-wide DEBUG loglevel could be avoided and is not affected in all cases. With journald presence it's probably safe to no longer log sensitive details at DEBUG level. Fix #149 Signed-off-by: Daniel Gollub <dgollub@att.com>
1 parent e1f842c commit 4a9852c

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

Diff for: support.c

+2-2
Original file line numberDiff line numberDiff line change
@@ -374,8 +374,8 @@ int _pam_parse(int argc, const char **argv) {
374374
_pam_log(LOG_DEBUG, "%d servers defined", tac_srv_no);
375375

376376
for (n = 0; n < tac_srv_no; n++) {
377-
_pam_log(LOG_DEBUG, "server[%lu] { addr=%s, key='%s' }", n, tac_ntop(tac_srv[n].addr->ai_addr),
378-
tac_srv[n].key);
377+
_pam_log(LOG_DEBUG, "server[%lu] { addr=%s, key='********' }", n,
378+
tac_ntop(tac_srv[n].addr->ai_addr));
379379
}
380380

381381
_pam_log(LOG_DEBUG, "tac_service='%s'", tac_service);

0 commit comments

Comments
 (0)