[security-dev 00376]: Re: JGSS/krb5: Too strict Krb5LoginModule options validation

Valerie Peng Yu-Ching.Peng at Sun.COM
Tue Oct 28 00:15:28 UTC 2008 

You have "useTicketPass" instead of "useFirstPass" in the sample code.
I noticed that IBM has additional description in their javadoc on this, i.e.

===========
 4) The keytab and ccache options take precedence over tryFirstPass.
    If a keytab or ccache option is set in addition to tryFirstPass,
    the keytab or ccache is used and the principal saved in the shared state
    if login is succesful. There will be no prompting for password if
    the login fails.
 5) The keytab and ccache options are incompatible with the
    useFirstPass option; specifying useFirstPass in conjunction with
    either a keytab or ccache option will cause an exception to be thrown.
===========

Is this how our impl behave if either useFirstPass or tryFirstPass is specified along with ccache or keytab?
I think we need to think through all different combination of options and document the behavior with this change.
Thanks,
Valerie


On 10/21/08 20:08, Weijun Wang wrote:
> Hi All
>
> Currently we have this check inside Krb5LoginModule:
>
>     private void validateConfiguration() throws LoginException {
>         if (doNotPrompt && !useTicketCache && !useKeyTab)
>             throw new LoginException
>                 ("Configuration Error"
>                  + " - either doNotPrompt should be "
>                  + " false or useTicketCache/useKeyTab "
>                  + " should be true");
>         .....
>
> However, if the user has also provided tryFirstPass=true or
> useFirstPass=true, it's possible to get the password from a shared
> state. The restriction in the check is not necessary then. It can be
> changed to:
>
>         if (doNotPrompt && !useTicketCache && !useKeyTab &&
>                 !tryFirstPass && !useTicketPass)
>             throw new LoginException
>                 ("Configuration Error"
>                  + " - either doNotPrompt should be "
>                  + " false or at least one of useTicketCache, "
>                  + " useKeyTab, tryFirstPass and useTicketPass"
>                  + " should be true");
>
> I'll file a bug and fix it if you find it OK.
>
> Thanks
> Max
>

More information about the security-dev mailing list