Request for enhancement: Support KRB5_CONFIG

Weijun Wang weijun.wang at oracle.com
Wed Jun 20 21:50:08 PDT 2012


Hi All

Oracle's Java currently looks for the krb5.conf file in this order:

1: If -Djava.security.krb5.conf defined, use it
2: If jre/lib/security/krb5.conf found, use it
3: Looking for the system default krb5.conf
    . /etc/krb5/krb5.conf on Solaris
    . /etc/krb5.conf on Linux
    . $WINDOWS/krb5.ini on Windows
    . edu.mit.Kerberos or krb5.conf on Mac

We know native kerberos supports a KRB5_CONFIG env variable for the same 
purpose. Hereby I suggest adding a check

1.5: If KRB5_CONFIG defined, use it

This will work with native Kerberos installation better. But there is 
one compatibility issue that if you already have this variable set:

Current behavior: Java uses /etc/krb5.conf
Future behavior: Java uses KRB5_CONFIG

I wonder if that will be a problem in a real production environment. 
Suppose you really have a different krb5.conf, you might have already 
use -Djava.security.krb5.conf to override it.

I have more questions:

1. Is the value of this variable always a file path (either absolute or 
relative)? Is it possible to be something like file:/etc/krb5.conf?

2. Should it always be honored? Is it possible that in a server 
environment it should be ignored for security reasons? (If so, I wonder 
how a server is defined).

Any suggestion?

Thanks
Max



More information about the security-dev mailing list