Logging missing keytab file in Krb5LoginModule

Wei-Jun Wang weijun.wang at oracle.com
Tue Aug 17 21:33:00 UTC 2021

How do you think if we add some debug info at the internal KeyTab creation at [1]?

For the 2 exceptions we can print out a line and the exception.toString(), then you will know if the filename doesn’t exist, or is a directory, or no permission to read.

Of course, you will need to turn on -Dsun.security.krb5.debug=true to see this level of debug info.


[1] https://github.com/openjdk/jdk/blob/f4af0eadb6eaf9d9614431110ab7fc9c1588966d/src/java.security.jgss/share/classes/sun/security/krb5/internal/ktab/KeyTab.java#L93

> On Aug 17, 2021, at 4:19 PM, Horváth Péter Gergely <horvath.peter.gergely at gmail.com> wrote:
> Dear All,
> I am wondering if someone would be kind enough to sponsor the following small change:
> When debugging is enabled for com.sun.security.auth.module.Krb5LoginModule and the file specified by "keyTab" is not found, Krb5LoginModule simply emits a generic message, similar to this:
> "Key for the principal foobar at acme.com not available in /home/foobar/foobar.keytab"
> This message can be quite confusing and counterintuitive if the file is actually not there, because, based on the message, one would think that the JVM probed the file, found it, loaded the data, but still could not use the keytab data for authentication.
> I would propose adding further debug logging to Krb5LoginModule so as to emit a warning in case the key was not found, due to the file not being present, readable or a being a directory.
> Please find attached the patch file: it is trivial, and only affects a debug branch of the code.
> Please let me know what you think.
> Thanks,
> Peter
> <keyTab_file_checks.patch>

More information about the security-dev mailing list