[
https://issues.apache.org/jira/browse/ZOOKEEPER-2405?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Han updated ZOOKEEPER-2405:
-----------------------------------
Attachment: ZOOKEEPER-2405.patch
Attach a patch for the fix. I think it is reasonable to log client and server
principal for debugging as these should not be considered as sensitive
information (comparing to other fields in TGT such as the ticket session key.),
and log them might be helpful than completely remove them from a debugging
point of view.
Regarding the debug output from Kerberos itself when debugging is enabled (by
setting debug to true in both jaas.conf and in JVM), the output does not
contain anything specific related to TGT, except the client / server
principals.
[~phunt] PTAL
> getTGT() in Login.java mishandles confidential information
> ----------------------------------------------------------
>
> Key: ZOOKEEPER-2405
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2405
> Project: ZooKeeper
> Issue Type: Bug
> Components: kerberos, security, server
> Affects Versions: 3.4.8, 3.5.1, 3.6.0
> Reporter: Patrick Hunt
> Priority: Blocker
> Fix For: 3.4.9, 3.5.2, 3.6.0
>
> Attachments: ZOOKEEPER-2405.patch
>
>
> We're logging the kerberos ticket when in debug mode, probably not the best
> idea. This was identified as a "critical" issue by Fortify.
> {noformat}
> for(KerberosTicket ticket: tickets) {
> KerberosPrincipal server = ticket.getServer();
> if (server.getName().equals("krbtgt/" + server.getRealm() + "@" +
> server.getRealm())) {
> LOG.debug("Found tgt " + ticket + ".");
> return ticket;
> }
> }
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
