Hi All I'm planning to support keytab refresh in Java, which means the keytab's content is always reloaded right after AP-REQ is received on the acceptor side.
One benefit is that when the service is started, the keytab file needn't include the keys for the service, or, it can simply be non- existent. More benefits are key refresh, key revocation, etc, etc. Currently, when useKeyTab is specified in the JAAS login config file, if keys for the service name cannot be found inside the keytab, JAAS automatically fallback to username/password prompt, and if they cannot be provided, the login fails. In my plan, when keytab refresh is supported, keytab will always be used even if it does not exist, because there's a chance that it will contain the proper keys later. So this introduces a behavior change, and I want to know how big the risk is. Do you know if any customer relies on the current fallback? That is to say, they manually config useKeyTab=true in the JAAS login config, but (sometimes) does not provide a keytab file with correct keys, and they expect username and password will be prompted for. The behavior change also means that if there is really something wrong with the keytab config (say, wrong path name), currently an app fails as soon as it starts, but with keytab refresh, it only fails when AP- REQ is received. How does Solaris deal with keytab changes? Does it accept an empty (or non-existent) keytab? Thanks Max
