mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Torsten Mielke (JIRA)" <j...@apache.org>
Subject [jira] Commented: (SSHD-102) Add error logging to org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
Date Wed, 15 Dec 2010 11:47:01 GMT

    [ https://issues.apache.org/jira/browse/SSHD-102?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12971631#action_12971631
] 

Torsten Mielke commented on SSHD-102:
-------------------------------------

One could argue that the exception object itself should not carry the password if it is considered
sensitive data, as it is never clear what class is going to catch the exception.
Did a quick check here using an LDAP LoginModule and the password itself is not part of the
exception.

Using the attached patch this is the output:

JaasPasswordAuthenticator [29] - Authentication failed with error: LDAP Error, cause: javax.security.auth.login.FailedLoginException


> Add error logging to org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
> -----------------------------------------------------------------------------------------
>
>                 Key: SSHD-102
>                 URL: https://issues.apache.org/jira/browse/SSHD-102
>             Project: MINA SSHD
>          Issue Type: Improvement
>    Affects Versions: 0.4.0, 0.5.0
>         Environment: sshd JAAS used with LDAP based authentication.
>            Reporter: Torsten Mielke
>         Attachments: JaasPasswordAuthenticator.patch
>
>
> The JaasPasswordAuthenticator.authenticate() method currently silently ignores any exceptions
being raised and simply returns false in case of any authentication erorrs. 
> In environments where sshd is used in other frameworks like OSGi, it becomes very difficult
to trouble shoot the reasons for the authentication failure. 
> Rather than simply returning false, I propose to print a logging statement at the least.
>     catch (Exception e) {
>             log.error("Authentication failed with error: " + 
>                       e.getMessage() + 
>                       ", cause: " + 
>                       e.getCause() );
>             return false;
>     }

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message