[security-dev 00381]: Re: JGSS/krb5: Too strict Krb5LoginModule options validation

Valerie Peng Yu-Ching.Peng at Sun.COM
Wed Oct 29 17:49:48 PDT 2008


Ok, what you described sounds reasonable.
Just let me know once you have the webrev.
Thanks,
Valerie

On 10/27/08 22:13, Max (Weijun) Wang wrote:
> Hi Valerie
>
> Sun JDK's impl is different (see inline vs IBM). For options in 
> Krb5LoginModule, I think there're 3 rules:
>
> 1. No conflict. e.g. only use ccache but storeKey, obviously there's 
> no key to store here
> 2. Useful. e.g. if useKeyTab=false, then keyTabName is useless so it 
> shouldn't appear
> 3. Not impossible. there should be at least one way to get the credential
>
> Except for these, it seems every combination is OK. The options' 
> meanings are already described quite clearly. We still need to 
> document the preferred order:
>
>    1. ccache
>    2. keytab
>    3. shared state
>    4. prompt
>
> Note that if any step is selected but fails, the next step will be 
> tried. There's only one exception, it #3 fails and useFirstPass=true, 
> #4 will not be tried.
>
> Another thing needs to be mentioned is how to choose the username, the 
> preferences order is:
>
>     1. principal=XXX option
>     2. name in ccache (if chosen)
>     3. the name in shared state
>     4. the name from callback
>
> I'm writing codes to double check them, will add into Krb5LoginModule 
> doc.
>
> Thanks
> Max
>
> On Oct 28, 2008, at 8:15 AM, Valerie Peng wrote:
>
>> You have "useTicketPass" instead of "useFirstPass" in the sample code.
>> I noticed that IBM has additional description in their javadoc on 
>> this, i.e.
>>
>> ===========
>> 4) The keytab and ccache options take precedence over tryFirstPass.
>>   If a keytab or ccache option is set in addition to tryFirstPass,
>>   the keytab or ccache is used and the principal saved in the shared 
>> state
>
> only if storePass is true
>
>>
>>   if login is succesful. There will be no prompting for password if
>>   the login fails.
>
> prompting for password will be executed unless doNotPrompt=true && 
> useFirstPass=true
>
>>
>> 5) The keytab and ccache options are incompatible with the
>>   useFirstPass option; specifying useFirstPass in conjunction with
>>   either a keytab or ccache option will cause an exception to be thrown.
>
> No, they can co-exist, shared state will be used when neither of the 
> other 2 methods succeed.
>
>>
>> ===========
>>
>> Is this how our impl behave if either useFirstPass or tryFirstPass is 
>> specified along with ccache or keytab?
>> I think we need to think through all different combination of options 
>> and document the behavior with this change.
>> Thanks,
>> Valerie
>>
>>
>> On 10/21/08 20:08, Weijun Wang wrote:
>>> Hi All
>>>
>>> Currently we have this check inside Krb5LoginModule:
>>>
>>>    private void validateConfiguration() throws LoginException {
>>>        if (doNotPrompt && !useTicketCache && !useKeyTab)
>>>            throw new LoginException
>>>                ("Configuration Error"
>>>                 + " - either doNotPrompt should be "
>>>                 + " false or useTicketCache/useKeyTab "
>>>                 + " should be true");
>>>        .....
>>>
>>> However, if the user has also provided tryFirstPass=true or
>>> useFirstPass=true, it's possible to get the password from a shared
>>> state. The restriction in the check is not necessary then. It can be
>>> changed to:
>>>
>>>        if (doNotPrompt && !useTicketCache && !useKeyTab &&
>>>                !tryFirstPass && !useTicketPass)
>>>            throw new LoginException
>>>                ("Configuration Error"
>>>                 + " - either doNotPrompt should be "
>>>                 + " false or at least one of useTicketCache, "
>>>                 + " useKeyTab, tryFirstPass and useTicketPass"
>>>                 + " should be true");
>>>
>>> I'll file a bug and fix it if you find it OK.
>>>
>>> Thanks
>>> Max
>>>
>>
>




More information about the security-dev mailing list