Hi
Please take a review at the CCC:
http://ccc.sfbay.sun.com/6894072
Thanks
Max
On Dec 22, 2009, at 12:25 PM, Max (Weijun) Wang wrote:
Hi All
I'm planning to support keytab refresh in Java, which means the
keytab's content is always reloaded right after AP-REQ is received
on the acceptor side.
One benefit is that when the service is started, the keytab file
needn't include the keys for the service, or, it can simply be non-
existent. More benefits are key refresh, key revocation, etc, etc.
Currently, when useKeyTab is specified in the JAAS login config
file, if keys for the service name cannot be found inside the
keytab, JAAS automatically fallback to username/password prompt, and
if they cannot be provided, the login fails. In my plan, when keytab
refresh is supported, keytab will always be used even if it does not
exist, because there's a chance that it will contain the proper keys
later.
So this introduces a behavior change, and I want to know how big the
risk is.
Do you know if any customer relies on the current fallback? That is
to say, they manually config useKeyTab=true in the JAAS login
config, but (sometimes) does not provide a keytab file with correct
keys, and they expect username and password will be prompted for.
The behavior change also means that if there is really something
wrong with the keytab config (say, wrong path name), currently an
app fails as soon as it starts, but with keytab refresh, it only
fails when AP-REQ is received.
How does Solaris deal with keytab changes? Does it accept an empty
(or non-existent) keytab?
Thanks
Max
