[security-dev 00360]: JGSS/krb5: Too strict Krb5LoginModule options validation
Weijun Wang
Weijun.Wang at Sun.COM
Wed Oct 22 03:08:23 UTC 2008
Hi All
Currently we have this check inside Krb5LoginModule:
private void validateConfiguration() throws LoginException {
if (doNotPrompt && !useTicketCache && !useKeyTab)
throw new LoginException
("Configuration Error"
+ " - either doNotPrompt should be "
+ " false or useTicketCache/useKeyTab "
+ " should be true");
.....
However, if the user has also provided tryFirstPass=true or
useFirstPass=true, it's possible to get the password from a shared
state. The restriction in the check is not necessary then. It can be
changed to:
if (doNotPrompt && !useTicketCache && !useKeyTab &&
!tryFirstPass && !useTicketPass)
throw new LoginException
("Configuration Error"
+ " - either doNotPrompt should be "
+ " false or at least one of useTicketCache, "
+ " useKeyTab, tryFirstPass and useTicketPass"
+ " should be true");
I'll file a bug and fix it if you find it OK.
Thanks
Max
More information about the security-dev
mailing list