Logging missing keytab file in Krb5LoginModule
Horváth Péter Gergely
horvath.peter.gergely at gmail.com
Wed Aug 18 21:34:41 UTC 2021
OK, I think we can agree on that. Please add the changes of KeyTab.java: it
should be helpful in future releases.
Thanks,
Peter
On Wed, Aug 18, 2021, 23:06 Wei-Jun Wang, <weijun.wang at oracle.com> wrote:
> I think the new message in KeyTab.java is enough. The added lines in
> Krb5LoginModule is a little too long with the try-catch structure.
>
> —Weijun
>
> > On Aug 18, 2021, at 1:50 PM, Horváth Péter Gergely <
> horvath.peter.gergely at gmail.com> wrote:
> >
> > Hi Weijun,
> >
> > Many thanks for your response. I think that indeed it would make sense
> to log in KeyTab, since the FileNotFoundException there should even have
> the platform-specific reason message coming from the native layer.
> >
> > At the same time, I think it would make sense to emit a log message
> around the original "Key for the principal ... not available in ..."
> message as well. It is probably good to have more context when debugging.
> >
> > I have created a new patch combining the two approaches. Code in
> Krb5LoginModule now relies on the KeyTab exists() call: it is probably
> better like that.
> > Please take a look and let me know what you think.
> >
> > Thanks,
> > Peter
> >
> >
> >
> >
> > Wei-Jun Wang <weijun.wang at oracle.com> ezt írta (időpont: 2021. aug.
> 17., K, 23:33):
> > How do you think if we add some debug info at the internal KeyTab
> creation at [1]?
> >
> > For the 2 exceptions we can print out a line and the
> exception.toString(), then you will know if the filename doesn’t exist, or
> is a directory, or no permission to read.
> >
> > Of course, you will need to turn on -Dsun.security.krb5.debug=true to
> see this level of debug info.
> >
> > Thanks,
> > Weijun
> >
> > [1]
> https://github.com/openjdk/jdk/blob/f4af0eadb6eaf9d9614431110ab7fc9c1588966d/src/java.security.jgss/share/classes/sun/security/krb5/internal/ktab/KeyTab.java#L93
> >
> >
> > > On Aug 17, 2021, at 4:19 PM, Horváth Péter Gergely <
> horvath.peter.gergely at gmail.com> wrote:
> > >
> > > Dear All,
> > >
> > > I am wondering if someone would be kind enough to sponsor the
> following small change:
> > >
> > > When debugging is enabled for
> com.sun.security.auth.module.Krb5LoginModule and the file specified by
> "keyTab" is not found, Krb5LoginModule simply emits a generic message,
> similar to this:
> > > "Key for the principal foobar at acme.com not available in
> /home/foobar/foobar.keytab"
> > >
> > > This message can be quite confusing and counterintuitive if the file
> is actually not there, because, based on the message, one would think that
> the JVM probed the file, found it, loaded the data, but still could not use
> the keytab data for authentication.
> > >
> > > I would propose adding further debug logging to Krb5LoginModule so as
> to emit a warning in case the key was not found, due to the file not being
> present, readable or a being a directory.
> > >
> > > Please find attached the patch file: it is trivial, and only affects a
> debug branch of the code.
> > >
> > > Please let me know what you think.
> > >
> > > Thanks,
> > > Peter
> > > <keyTab_file_checks.patch>
> >
> > <keyTab_file_checks2.patch>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20210818/0fbc805c/attachment.htm>
More information about the security-dev
mailing list