bug fix for native kerberos libraries

Weijun Wang weijun.wang at oracle.com
Sun Oct 21 20:33:00 PDT 2012


I forgot to ask:

Your patch mentioned MEMORY: ccache. What is the full string? Is that 
any document on it?

Thanks
Weijun

On 10/22/2012 11:29 AM, Weijun Wang wrote:
>
>
> On 10/22/2012 11:10 AM, christos at zoulas.com wrote:
>> On Oct 22, 10:54am, weijun.wang at oracle.com (Weijun Wang) wrote:
>> -- Subject: Re: bug fix for native kerberos libraries
>>
>> | I see. So it looks like the MS tool is calling JAAS. Is it asking
>> you to
>> | prepare a JAAS login file like this?
>> |
>> |     client {
>> |        com.sun.security.auth.module.Krb5LoginModule required
>> |        ...;
>> |     };
>> |
>> | You can put a key-value pair ticketCache=ccache_file inside it where
>> | ccache_file is the KRB5CCNAME env variable. This would assign the value
>> | to ticketCacheName and your patch won't be needed.
>>
>> The value of the environment variable is not constant, so I will
>> have to generate the login file at each program invocation which is
>> highly invonvenient. For example when ssh propagates the ticket file
>> from one host to another the filename changes (from /tmp/krb5cc_<uid>
>> to /tmp/krb5cc_uid_<random>).
>
> I see.
>
>>
>> | In fact, whatever credentials you specified here will not be used by
>> the
>> | final GSS mech at all (since it's native). So maybe we can just trick
>> | the MS tool that a login is there but do nothing. Please try this (jdk7
>> | only)
>> |
>> |     client {
>> |        com.sun.security.auth.module.Krb5LoginModule required
>> |        principal=nobody at NOWHERE
>> |        useKeyTab=true
>> |        isInitiator=false;
>> |     };
>> |
>> | If this work, you don't need to call kinit and save a ccache file
>> somewhere.
>>
>> I think that this is a good idea. I will try it and see if it works. On
>> the other hand, it would be nice if the native and the non-native
>> implementation behaved the same way. Requiring such a file for one and
>> not the other is not the behavior expected by the user.
>
> Well, the java krb5 and native krb5 mechs are so different that the
> later needs no JAAS at all. So even if you make the config file looking
> the same, it's still quite different inside.
>
>> I understand
>> that my patch is not clean and that this has been brought up before
>> (Bug ID: 6832353), but since this is not accessible anymore I don't know
>> what was the resolution of it.
>
> Oh, I forgot about that bug. It was integrated into jdk 7.
>
> Can you please add "-Dsun.security.krb5.debug=true" to your java command
> line? It will show something like
>
>     >>>KinitOptions cache name is ...
>
> If the cache name shows your KRB5CCNAME it should be picked up. I
> haven't removed the FILE: prefix and maybe that is the problem. Since
> you are already playing with OpenJDK sources, can you try adding the
> prefix removing code around line 366 in the following file?
>
>
> http://hg.openjdk.java.net/jdk8/tl/jdk/file/79b63e8eceda/src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java
>
>
> If that works, I'll happily apply the change to jdk 7 and 8.
>
> Thanks
> Weijun
>
>>
>> Anyway thanks for the advise, I will try and get back to you.
>>
>> christos
>>



More information about the security-dev mailing list