[security-dev 00360]: JGSS/krb5: Too strict Krb5LoginModule options validation

Weijun Wang Weijun.Wang at Sun.COM
Tue Oct 21 20:08:23 PDT 2008


Hi All

Currently we have this check inside Krb5LoginModule:

    private void validateConfiguration() throws LoginException {
        if (doNotPrompt && !useTicketCache && !useKeyTab)
            throw new LoginException
                ("Configuration Error"
                 + " - either doNotPrompt should be "
                 + " false or useTicketCache/useKeyTab "
                 + " should be true");
        .....

However, if the user has also provided tryFirstPass=true or
useFirstPass=true, it's possible to get the password from a shared
state. The restriction in the check is not necessary then. It can be
changed to:

        if (doNotPrompt && !useTicketCache && !useKeyTab &&
                !tryFirstPass && !useTicketPass)
            throw new LoginException
                ("Configuration Error"
                 + " - either doNotPrompt should be "
                 + " false or at least one of useTicketCache, "
                 + " useKeyTab, tryFirstPass and useTicketPass"
                 + " should be true");

I'll file a bug and fix it if you find it OK.

Thanks
Max



More information about the security-dev mailing list