[security-dev 01480]: RFC: keytab automatic refresh in Java
Max (Weijun) Wang
Weijun.Wang at Sun.COM
Tue Dec 22 04:25:18 UTC 2009
Hi All
I'm planning to support keytab refresh in Java, which means the
keytab's content is always reloaded right after AP-REQ is received on
the acceptor side.
One benefit is that when the service is started, the keytab file
needn't include the keys for the service, or, it can simply be non-
existent. More benefits are key refresh, key revocation, etc, etc.
Currently, when useKeyTab is specified in the JAAS login config file,
if keys for the service name cannot be found inside the keytab, JAAS
automatically fallback to username/password prompt, and if they cannot
be provided, the login fails. In my plan, when keytab refresh is
supported, keytab will always be used even if it does not exist,
because there's a chance that it will contain the proper keys later.
So this introduces a behavior change, and I want to know how big the
risk is.
Do you know if any customer relies on the current fallback? That is to
say, they manually config useKeyTab=true in the JAAS login config, but
(sometimes) does not provide a keytab file with correct keys, and they
expect username and password will be prompted for.
The behavior change also means that if there is really something wrong
with the keytab config (say, wrong path name), currently an app fails
as soon as it starts, but with keytab refresh, it only fails when AP-
REQ is received.
How does Solaris deal with keytab changes? Does it accept an empty (or
non-existent) keytab?
Thanks
Max
More information about the security-dev
mailing list