Logging missing keytab file in Krb5LoginModule

Horváth Péter Gergely horvath.peter.gergely at gmail.com
Wed Aug 18 17:50:54 UTC 2021 

Hi Weijun,

Many thanks for your response. I think that indeed it would make sense to
log in KeyTab, since the FileNotFoundException there should even have the
platform-specific reason message coming from the native layer.

At the same time, I think it would make sense to emit a log message around
the original "Key for the principal ... not available in ..." message as
well. It is probably good to have more context when debugging.

I have created a new patch combining the two approaches.
Code in Krb5LoginModule now relies on the KeyTab exists() call: it is
probably better like that.
Please take a look and let me know what you think.

Thanks,
Peter




Wei-Jun Wang <weijun.wang at oracle.com> ezt írta (időpont: 2021. aug. 17., K,
23:33):

> How do you think if we add some debug info at the internal KeyTab creation
> at [1]?
>
> For the 2 exceptions we can print out a line and the exception.toString(),
> then you will know if the filename doesn’t exist, or is a directory, or no
> permission to read.
>
> Of course, you will need to turn on -Dsun.security.krb5.debug=true to see
> this level of debug info.
>
> Thanks,
> Weijun
>
> [1]
> https://github.com/openjdk/jdk/blob/f4af0eadb6eaf9d9614431110ab7fc9c1588966d/src/java.security.jgss/share/classes/sun/security/krb5/internal/ktab/KeyTab.java#L93
>
>
> > On Aug 17, 2021, at 4:19 PM, Horváth Péter Gergely <
> horvath.peter.gergely at gmail.com> wrote:
> >
> > Dear All,
> >
> > I am wondering if someone would be kind enough to sponsor the following
> small change:
> >
> > When debugging is enabled for
> com.sun.security.auth.module.Krb5LoginModule and the file specified by
> "keyTab" is not found, Krb5LoginModule simply emits a generic message,
> similar to this:
> > "Key for the principal foobar at acme.com not available in
> /home/foobar/foobar.keytab"
> >
> > This message can be quite confusing and counterintuitive if the file is
> actually not there, because, based on the message, one would think that the
> JVM probed the file, found it, loaded the data, but still could not use the
> keytab data for authentication.
> >
> > I would propose adding further debug logging to Krb5LoginModule so as to
> emit a warning in case the key was not found, due to the file not being
> present, readable or a being a directory.
> >
> > Please find attached the patch file: it is trivial, and only affects a
> debug branch of the code.
> >
> > Please let me know what you think.
> >
> > Thanks,
> > Peter
> > <keyTab_file_checks.patch>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20210818/6a4791c2/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keyTab_file_checks2.patch
Type: text/x-patch
Size: 2985 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20210818/6a4791c2/keyTab_file_checks2.patch>

More information about the security-dev mailing list