Java code performing Kerberos password AuthN
Jorj Bauer
jorj at isc.upenn.edu
Thu Jun 26 18:23:08 EDT 2014
Searching the web, I found many examples of how to incorrectly perform Kerberos-based password AuthN in Java [1]. In the interests of having this done correctly, I just pushed this Java code to github:
https://github.com/JorjBauer/java-kpass
Java doesn't have krb5_verify_init_creds() or similar, and folks implementing password AuthN in Java don't seem to realize that Java's Krb5LoginModule isn't performing that check. I'm sure this is a problem that many on this list have seen before in other implementations; I know I've seen it at least twice in other languages.
More details are in the README on the github page above. I thought I'd post this to the Kerberos list so that it gets some visibility, and maybe people that are trying to validate Kerberos passwords in Java will stumble across code showing how to do it securely. (Maybe someone will show me a better way to do it in Java, for that matter. Bonus.)
-- Jorj
--
Jorj Bauer
Manager of Engineering, Research and Development
Information Systems and Computing, University of Pennsylvania
215.746.3850
XMPP: jorj at upenn.edu
[1] Not that this is a good idea.
More information about the Kerberos
mailing list