[PATCH] Handle alternative Kerberos credential cache locations

Elliott Baron ebaron at redhat.com
Tue Jan 14 15:01:47 PST 2014


Hi Max,

I have finally been able to revisit this patch, sorry for the long 
delay. I have posted webrevs at 
http://icedtea.classpath.org/~ebaron/webrevs/krb5-default-ccache/00/. 
These updated patches do not use error message routines in libkrb5, 
since these are missing from the version on Solaris 10. Instead, the 
native code in this patch retrieves error messages by invoking the 
Krb5.getErrorMessage method that is part of the JDK.

Thanks,
Elliott

On 09/19/2013 08:48 PM, Weijun Wang wrote:
> Copying build-dev.
>
> --Max
>
> On 9/20/13 8:02 AM, Elliott Baron wrote:
>> Hi,
>>
>> Kerberos 1.11 introduced a new configuration variable to override the
>> default location of the credential cache at build time. Fedora 18 and up
>> have used this new configuration variable to define an alternate default
>> cache location (/run/user/$UID/krb5cc/tkt). This bug was initially
>> reported against Fedora [1].
>>
>> On Linux and Solaris systems, FileCredentialsCache.getDefaultCacheName()
>> defaults to the previously hard-coded location (/tmp/krb5cc_$UID). This
>> location will be incorrect if Kerberos was built with an alternative
>> credential cache location set. Since this credential cache location can
>> be arbitrary, we need to query the Kerberos API for the correct
>> location. This patch implements this query using a new JNI call, which
>> adds a dependency on libkrb5 for Linux and Solaris systems. I have also
>> included a test case which uses a stub library in place of the real JNI
>> libkrb5 wrapper.
>>
>> The patch krb5-default-ccache should be applied to jdk8. This includes
>> modifications to the build system in order to handle the dependency on
>> libkrb5. These changes include querying pkg-config for the location of
>> Kerberos includes and libraries, although there does not appear to be
>> support for a libkrb5 pkg-config file just yet. An alternative program,
>> krb5-config, operates similarly to pkg-config and prints the locations
>> of the required libraries and includes. This program is included as part
>> of Kerberos. This patch adds M4 macros to query krb5-config, and
>> integrates these macros into libraries.m4. I have omitted
>> generated-configure.sh for brevity.
>>
>> The second patch jdk-krb5-default-ccache-fix should be applied to
>> jdk8/jdk. This includes the changes to FileCredentialsCache and the new
>> native component, krb5ccache.c. The library generated from it is named
>> libj2krb5. This patch includes krb5-config support in
>> jdk_generic_profile.sh. This will allow users of the old build system
>> (and JDK7) to automatically find the necessary includes and libraries
>> for Kerberos. For the test component, the patch includes a Makefile to
>> build the stub library. The test should be run using the provided
>> run_tests.sh shell script.
>>
>> Thanks,
>> Elliott
>>
>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=991170



More information about the security-dev mailing list