[security-dev 01488]: Re: RFC: keytab automatic refresh in Java
Max (Weijun) Wang
Weijun.Wang at Sun.COM
Mon Jan 4 05:47:13 UTC 2010
Hi
Please take a review at the CCC:
http://ccc.sfbay.sun.com/6894072
Thanks
Max
On Dec 22, 2009, at 12:25 PM, Max (Weijun) Wang wrote:
> Hi All
>
> I'm planning to support keytab refresh in Java, which means the
> keytab's content is always reloaded right after AP-REQ is received
> on the acceptor side.
>
> One benefit is that when the service is started, the keytab file
> needn't include the keys for the service, or, it can simply be non-
> existent. More benefits are key refresh, key revocation, etc, etc.
>
> Currently, when useKeyTab is specified in the JAAS login config
> file, if keys for the service name cannot be found inside the
> keytab, JAAS automatically fallback to username/password prompt, and
> if they cannot be provided, the login fails. In my plan, when keytab
> refresh is supported, keytab will always be used even if it does not
> exist, because there's a chance that it will contain the proper keys
> later.
>
> So this introduces a behavior change, and I want to know how big the
> risk is.
>
> Do you know if any customer relies on the current fallback? That is
> to say, they manually config useKeyTab=true in the JAAS login
> config, but (sometimes) does not provide a keytab file with correct
> keys, and they expect username and password will be prompted for.
>
> The behavior change also means that if there is really something
> wrong with the keytab config (say, wrong path name), currently an
> app fails as soon as it starts, but with keytab refresh, it only
> fails when AP-REQ is received.
>
> How does Solaris deal with keytab changes? Does it accept an empty
> (or non-existent) keytab?
>
> Thanks
> Max
>
More information about the security-dev
mailing list