[36223] in Kerberos
Java code performing Kerberos password AuthN
daemon@ATHENA.MIT.EDU (Jorj Bauer)
Thu Jun 26 18:27:25 2014
From: Jorj Bauer <jorj@isc.upenn.edu>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Thu, 26 Jun 2014 22:23:08 +0000
Message-ID: <783583777A0B2B4F9B03D97FFABAA2AC187DB6F4@exch-mbx01.exchange.upenn.edu>
Content-Language: en-US
Content-ID: <281149C50537834FB17477D3B5874021@exchange.upenn.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Searching the web, I found many examples of how to incorrectly perform Kerberos-based password AuthN in Java [1]. In the interests of having this done correctly, I just pushed this Java code to github:
https://github.com/JorjBauer/java-kpass
Java doesn't have krb5_verify_init_creds() or similar, and folks implementing password AuthN in Java don't seem to realize that Java's Krb5LoginModule isn't performing that check. I'm sure this is a problem that many on this list have seen before in other implementations; I know I've seen it at least twice in other languages.
More details are in the README on the github page above. I thought I'd post this to the Kerberos list so that it gets some visibility, and maybe people that are trying to validate Kerberos passwords in Java will stumble across code showing how to do it securely. (Maybe someone will show me a better way to do it in Java, for that matter. Bonus.)
-- Jorj
--
Jorj Bauer
Manager of Engineering, Research and Development
Information Systems and Computing, University of Pennsylvania
215.746.3850
XMPP: jorj@upenn.edu
[1] Not that this is a good idea.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
