Logging from the Sun Kerberos package?

Douglas E. Engert deengert at anl.gov
Wed Jan 16 16:54:53 EST 2013



On 1/15/2013 9:40 PM, Wessel, Keith William wrote:
> Hi, all,
>
> I’m already aware that JAAS doesn’t contain any useful logging that log4j can capture and log. Was wondering if, going to the Kerberos level, we could obtain any use log message, though. We’re using
> Kerberos with the UserPassword login handler, and when someone has a successful or unsuccessful login, it’d be nice to get some logging as such… especially with unsuccessful login attempts.
>
> If anyone’s accomplished this, if they could share what package they’ve added to their logging.xml, I’d appreciate it. I’ve tried various permutations of the Sun Kerberos auth package, unsure of how
> much of the actual package name needs to be included, and I’ve had no success getting anything of interest in the log. It either means there’s nothing being logged or I just didn’t choose the right
> option.

On an older test IDP-2.3.5, with:

logging.xml:
  <!-- Logs IdP, but not OpenSAML, messages -->
  <logger name="edu.internet2.middleware.shibboleth" level="DEBUG"/>

The idp-process.log will show an exception if the login fails:

11:14:15.470 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:150] - Redirecting to login page /login.jsp
11:14:27.399 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:170] - Attempting to authenticate user testuser
11:14:28.827 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:194] - User authentication for testuser failed
javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
         at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696) ~[na:1.6.0_26]
         at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542) ~[na:1.6.0_26]
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.6.0_26]

The above was with the wrong password.

Using an invalid user produces:
javax.security.auth.login.LoginException: Client not found in Kerberos database (6)

These messages appear to be the Kerberos error message as defined in RFC 4120 Section 7.5.9.
I suspect that it will print the other krb5 errors too.


After sun.security.auth.module.Krb5LoginModule our login.config does an additional
ldap query to make sure the username is allowed to use Shibboleth, and is the
account is not disabled. When trying one of these users with valid username and
password the exception is:

15:37:37.490 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:194] - User authentication for othertestuser failed
javax.security.auth.login.LoginException: Cannot authenticate dn, invalid dn
         at edu.vt.middleware.ldap.jaas.LdapLoginModule.login(LdapLoginModule.java:138) ~[vt-ldap-3.3.4.jar:na]

Based on this:
  http://stackoverflow.com/questions/9738756/jaas-kerberos-login-exception-on-wrong-username-password

It looks like with a little extra code in:
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet
the JAAS exception could be processed as IOException, KrbException, or LDAP error
and log the message as ERROR and rather then only showing it as DEBUG.

Maybe a better error message could be returned to the user other then
"Credentials not recognized." too.

>
> Thanks,
>
> Keith
>
>
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the users mailing list