Re: Logging missing keytab file in Krb5LoginModule

[Horváth Péter Gergely]

Hi Weijun,

Many thanks for your response. I think that indeed it would make sense to
log in KeyTab, since the FileNotFoundException there should even have the
platform-specific reason message coming from the native layer.

At the same time, I think it would make sense to emit a log message around
the original "Key for the principal ... not available in ..." message as
well. It is probably good to have more context when debugging.

I have created a new patch combining the two approaches.
Code in Krb5LoginModule now relies on the KeyTab exists() call: it is
probably better like that.
Please take a look and let me know what you think.

Thanks,
Peter




Wei-Jun Wang <weijun.w...@oracle.com> ezt írta (időpont: 2021. aug. 17., K,
23:33):

> How do you think if we add some debug info at the internal KeyTab creation
> at [1]?
>
> For the 2 exceptions we can print out a line and the exception.toString(),
> then you will know if the filename doesn’t exist, or is a directory, or no
> permission to read.
>
> Of course, you will need to turn on -Dsun.security.krb5.debug=true to see
> this level of debug info.
>
> Thanks,
> Weijun
>
> [1]
> https://github.com/openjdk/jdk/blob/f4af0eadb6eaf9d9614431110ab7fc9c1588966d/src/java.security.jgss/share/classes/sun/security/krb5/internal/ktab/KeyTab.java#L93
>
>
> > On Aug 17, 2021, at 4:19 PM, Horváth Péter Gergely <
> horvath.peter.gerg...@gmail.com> wrote:
> >
> > Dear All,
> >
> > I am wondering if someone would be kind enough to sponsor the following
> small change:
> >
> > When debugging is enabled for
> com.sun.security.auth.module.Krb5LoginModule and the file specified by
> "keyTab" is not found, Krb5LoginModule simply emits a generic message,
> similar to this:
> > "Key for the principal foo...@acme.com not available in
> /home/foobar/foobar.keytab"
> >
> > This message can be quite confusing and counterintuitive if the file is
> actually not there, because, based on the message, one would think that the
> JVM probed the file, found it, loaded the data, but still could not use the
> keytab data for authentication.
> >
> > I would propose adding further debug logging to Krb5LoginModule so as to
> emit a warning in case the key was not found, due to the file not being
> present, readable or a being a directory.
> >
> > Please find attached the patch file: it is trivial, and only affects a
> debug branch of the code.
> >
> > Please let me know what you think.
> >
> > Thanks,
> > Peter
> > <keyTab_file_checks.patch>
>
>

Index: src/jdk.security.auth/share/classes/com/sun/security/auth/module/Krb5LoginModule.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/src/jdk.security.auth/share/classes/com/sun/security/auth/module/Krb5LoginModule.java b/src/jdk.security.auth/share/classes/com/sun/security/auth/module/Krb5LoginModule.java
--- a/src/jdk.security.auth/share/classes/com/sun/security/auth/module/Krb5LoginModule.java	(revision d06d0b9e9d9d27aa549455f19b9803752431bcbb)
+++ b/src/jdk.security.auth/share/classes/com/sun/security/auth/module/Krb5LoginModule.java	(date 1629307575694)
@@ -724,6 +724,16 @@
                     if (isInitiator) {
                         if (Krb5Util.keysFromJavaxKeyTab(ktab, principal).length
                                 == 0) {
+                            if (debug) {
+                                try {
+                                    if (ktab != null && !ktab.exists()) {
+                                        System.out.println("WARNING: keyTab file does not exist: " + keyTabName);
+                                    }
+                                } catch (SecurityException ignoredSecurityException) {
+                                    // do nothing if security manager rejects the check
+                                }
+                            }
+
                             ktab = null;
                             if (debug) {
                                 System.out.println
Index: src/java.security.jgss/share/classes/sun/security/krb5/internal/ktab/KeyTab.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/src/java.security.jgss/share/classes/sun/security/krb5/internal/ktab/KeyTab.java b/src/java.security.jgss/share/classes/sun/security/krb5/internal/ktab/KeyTab.java
--- a/src/java.security.jgss/share/classes/sun/security/krb5/internal/ktab/KeyTab.java	(revision d06d0b9e9d9d27aa549455f19b9803752431bcbb)
+++ b/src/java.security.jgss/share/classes/sun/security/krb5/internal/ktab/KeyTab.java	(date 1629307426640)
@@ -101,9 +101,18 @@
         } catch (FileNotFoundException e) {
             entries.clear();
             isMissing = true;
+            if (DEBUG) {
+                // FileNotFoundException can be thrown if the file does exist or is inaccessible
+                // we expect native code to throw an exception with sufficient detail in the message.
+                System.out.println("WARNING: could not read keytab file: " + e.getMessage());
+            }
         } catch (Exception ioe) {
             entries.clear();
             isValid = false;
+            if (DEBUG) {
+                System.out.println("WARNING: Exception loading keytab file content");
+                ioe.printStackTrace();
+            }
         }
     }