bug fix for native kerberos libraries

Weijun Wang weijun.wang at oracle.com
Mon Oct 22 03:29:57 UTC 2012



On 10/22/2012 11:10 AM, christos at zoulas.com wrote:
> On Oct 22, 10:54am, weijun.wang at oracle.com (Weijun Wang) wrote:
> -- Subject: Re: bug fix for native kerberos libraries
>
> | I see. So it looks like the MS tool is calling JAAS. Is it asking you to
> | prepare a JAAS login file like this?
> |
> |     client {
> |        com.sun.security.auth.module.Krb5LoginModule required
> |        ...;
> |     };
> |
> | You can put a key-value pair ticketCache=ccache_file inside it where
> | ccache_file is the KRB5CCNAME env variable. This would assign the value
> | to ticketCacheName and your patch won't be needed.
>
> The value of the environment variable is not constant, so I will
> have to generate the login file at each program invocation which is
> highly invonvenient. For example when ssh propagates the ticket file
> from one host to another the filename changes (from /tmp/krb5cc_<uid>
> to /tmp/krb5cc_uid_<random>).

I see.

>
> | In fact, whatever credentials you specified here will not be used by the
> | final GSS mech at all (since it's native). So maybe we can just trick
> | the MS tool that a login is there but do nothing. Please try this (jdk7
> | only)
> |
> |     client {
> |        com.sun.security.auth.module.Krb5LoginModule required
> |        principal=nobody at NOWHERE
> |        useKeyTab=true
> |        isInitiator=false;
> |     };
> |
> | If this work, you don't need to call kinit and save a ccache file somewhere.
>
> I think that this is a good idea. I will try it and see if it works. On
> the other hand, it would be nice if the native and the non-native
> implementation behaved the same way. Requiring such a file for one and
> not the other is not the behavior expected by the user.

Well, the java krb5 and native krb5 mechs are so different that the 
later needs no JAAS at all. So even if you make the config file looking 
the same, it's still quite different inside.

> I understand
> that my patch is not clean and that this has been brought up before
> (Bug ID: 6832353), but since this is not accessible anymore I don't know
> what was the resolution of it.

Oh, I forgot about that bug. It was integrated into jdk 7.

Can you please add "-Dsun.security.krb5.debug=true" to your java command 
line? It will show something like

    >>>KinitOptions cache name is ...

If the cache name shows your KRB5CCNAME it should be picked up. I 
haven't removed the FILE: prefix and maybe that is the problem. Since 
you are already playing with OpenJDK sources, can you try adding the 
prefix removing code around line 366 in the following file?

 
http://hg.openjdk.java.net/jdk8/tl/jdk/file/79b63e8eceda/src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java

If that works, I'll happily apply the change to jdk 7 and 8.

Thanks
Weijun

>
> Anyway thanks for the advise, I will try and get back to you.
>
> christos
>



More information about the security-dev mailing list