Logging missing keytab file in Krb5LoginModule

Wei-Jun Wang weijun.wang at oracle.com
Wed Aug 18 22:36:11 UTC 2021 

See https://github.com/openjdk/jdk/pull/5176.

The krb5 debug warning is also quite verbose and I think it’s not worth printing out the whole stack trace. Also, no existing debug message starts with “WARNING". They are just plain flat text.

Thanks,
Weijun


> On Aug 18, 2021, at 5:34 PM, Horváth Péter Gergely <horvath.peter.gergely at gmail.com> wrote:
> 
> OK, I think we can agree on that. Please add the changes of KeyTab.java: it should be helpful in future releases. 
> 
> Thanks, 
> Peter
> 
> On Wed, Aug 18, 2021, 23:06 Wei-Jun Wang, <weijun.wang at oracle.com> wrote:
> I think the new message in KeyTab.java is enough. The added lines in Krb5LoginModule is a little too long with the try-catch structure.
> 
> —Weijun
> 
> > On Aug 18, 2021, at 1:50 PM, Horváth Péter Gergely <horvath.peter.gergely at gmail.com> wrote:
> > 
> > Hi Weijun,
> > 
> > Many thanks for your response. I think that indeed it would make sense to log in KeyTab, since the FileNotFoundException there should even have the platform-specific reason message coming from the native layer.
> >  
> > At the same time, I think it would make sense to emit a log message around the original "Key for the principal ... not available in ..." message as well. It is probably good to have more context when debugging. 
> > 
> > I have created a new patch combining the two approaches. Code in Krb5LoginModule now relies on the KeyTab exists() call: it is probably better like that. 
> > Please take a look and let me know what you think.
> > 
> > Thanks,
> > Peter
> > 
> > 
> > 
> > 
> > Wei-Jun Wang <weijun.wang at oracle.com> ezt írta (időpont: 2021. aug. 17., K, 23:33):
> > How do you think if we add some debug info at the internal KeyTab creation at [1]?
> > 
> > For the 2 exceptions we can print out a line and the exception.toString(), then you will know if the filename doesn’t exist, or is a directory, or no permission to read.
> > 
> > Of course, you will need to turn on -Dsun.security.krb5.debug=true to see this level of debug info.
> > 
> > Thanks,
> > Weijun
> > 
> > [1] https://github.com/openjdk/jdk/blob/f4af0eadb6eaf9d9614431110ab7fc9c1588966d/src/java.security.jgss/share/classes/sun/security/krb5/internal/ktab/KeyTab.java#L93
> > 
> > 
> > > On Aug 17, 2021, at 4:19 PM, Horváth Péter Gergely <horvath.peter.gergely at gmail.com> wrote:
> > > 
> > > Dear All,
> > > 
> > > I am wondering if someone would be kind enough to sponsor the following small change:
> > > 
> > > When debugging is enabled for com.sun.security.auth.module.Krb5LoginModule and the file specified by "keyTab" is not found, Krb5LoginModule simply emits a generic message, similar to this:
> > > "Key for the principal foobar at acme.com not available in /home/foobar/foobar.keytab"
> > > 
> > > This message can be quite confusing and counterintuitive if the file is actually not there, because, based on the message, one would think that the JVM probed the file, found it, loaded the data, but still could not use the keytab data for authentication.
> > > 
> > > I would propose adding further debug logging to Krb5LoginModule so as to emit a warning in case the key was not found, due to the file not being present, readable or a being a directory.
> > > 
> > > Please find attached the patch file: it is trivial, and only affects a debug branch of the code.
> > > 
> > > Please let me know what you think.
> > > 
> > > Thanks,
> > > Peter
> > > <keyTab_file_checks.patch>
> > 
> > <keyTab_file_checks2.patch>
>

More information about the security-dev mailing list