[
https://issues.apache.org/jira/browse/SSHD-102?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12971631#action_12971631
]
Torsten Mielke commented on SSHD-102:
-------------------------------------
One could argue that the exception object itself should not carry the password
if it is considered sensitive data, as it is never clear what class is going to
catch the exception.
Did a quick check here using an LDAP LoginModule and the password itself is not
part of the exception.
Using the attached patch this is the output:
JaasPasswordAuthenticator [29] - Authentication failed with error: LDAP Error,
cause: javax.security.auth.login.FailedLoginException
> Add error logging to
> org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
> -----------------------------------------------------------------------------------------
>
> Key: SSHD-102
> URL: https://issues.apache.org/jira/browse/SSHD-102
> Project: MINA SSHD
> Issue Type: Improvement
> Affects Versions: 0.4.0, 0.5.0
> Environment: sshd JAAS used with LDAP based authentication.
> Reporter: Torsten Mielke
> Attachments: JaasPasswordAuthenticator.patch
>
>
> The JaasPasswordAuthenticator.authenticate() method currently silently
> ignores any exceptions being raised and simply returns false in case of any
> authentication erorrs.
> In environments where sshd is used in other frameworks like OSGi, it becomes
> very difficult to trouble shoot the reasons for the authentication failure.
> Rather than simply returning false, I propose to print a logging statement at
> the least.
> catch (Exception e) {
> log.error("Authentication failed with error: " +
> e.getMessage() +
> ", cause: " +
> e.getCause() );
> return false;
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
