[security-dev 01480]: RFC: keytab automatic refresh in Java

Max (Weijun) Wang Weijun.Wang at Sun.COM
Tue Dec 22 04:25:18 UTC 2009


Hi All

I'm planning to support keytab refresh in Java, which means the  
keytab's content is always reloaded right after AP-REQ is received on  
the acceptor side.

One benefit is that when the service is started, the keytab file  
needn't include the keys for the service, or, it can simply be non- 
existent. More benefits are key refresh, key revocation, etc, etc.

Currently, when useKeyTab is specified in the JAAS login config file,  
if keys for the service name cannot be found inside the keytab, JAAS  
automatically fallback to username/password prompt, and if they cannot  
be provided, the login fails. In my plan, when keytab refresh is  
supported, keytab will always be used even if it does not exist,  
because there's a chance that it will contain the proper keys later.

So this introduces a behavior change, and I want to know how big the  
risk is.

Do you know if any customer relies on the current fallback? That is to  
say, they manually config useKeyTab=true in the JAAS login config, but  
(sometimes) does not provide a keytab file with correct keys, and they  
expect username and password will be prompted for.

The behavior change also means that if there is really something wrong  
with the keytab config (say, wrong path name), currently an app fails  
as soon as it starts, but with keytab refresh, it only fails when AP- 
REQ is received.

How does Solaris deal with keytab changes? Does it accept an empty (or  
non-existent) keytab?

Thanks
Max




More information about the security-dev mailing list