You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Torsten Mielke (JIRA)" <ji...@apache.org> on 2010/12/15 12:21:04 UTC
[jira] Created: (SSHD-102) Add error logging to
org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
Add error logging to org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
-----------------------------------------------------------------------------------------
Key: SSHD-102
URL: https://issues.apache.org/jira/browse/SSHD-102
Project: MINA SSHD
Issue Type: Improvement
Affects Versions: 0.5.0, 0.4.0
Environment: sshd JAAS used with LDAP based authentication.
Reporter: Torsten Mielke
The JaasPasswordAuthenticator.authenticate() method currently silently ignores any exceptions being raised and simply returns false in case of any authentication erorrs.
In environments where sshd is used in other frameworks like OSGi, it becomes very difficult to trouble shoot the reasons for the authentication failure.
Rather than simply returning false, I propose to print a logging statement at the least.
catch (Exception e) {
log.error("Authentication failed with " +
e.getMessage() +
"cause: " +
e.getCause() );
return false;
}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SSHD-102) Add error logging to
org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
Posted by "Torsten Mielke (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SSHD-102?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12971631#action_12971631 ]
Torsten Mielke commented on SSHD-102:
-------------------------------------
One could argue that the exception object itself should not carry the password if it is considered sensitive data, as it is never clear what class is going to catch the exception.
Did a quick check here using an LDAP LoginModule and the password itself is not part of the exception.
Using the attached patch this is the output:
JaasPasswordAuthenticator [29] - Authentication failed with error: LDAP Error, cause: javax.security.auth.login.FailedLoginException
> Add error logging to org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
> -----------------------------------------------------------------------------------------
>
> Key: SSHD-102
> URL: https://issues.apache.org/jira/browse/SSHD-102
> Project: MINA SSHD
> Issue Type: Improvement
> Affects Versions: 0.4.0, 0.5.0
> Environment: sshd JAAS used with LDAP based authentication.
> Reporter: Torsten Mielke
> Attachments: JaasPasswordAuthenticator.patch
>
>
> The JaasPasswordAuthenticator.authenticate() method currently silently ignores any exceptions being raised and simply returns false in case of any authentication erorrs.
> In environments where sshd is used in other frameworks like OSGi, it becomes very difficult to trouble shoot the reasons for the authentication failure.
> Rather than simply returning false, I propose to print a logging statement at the least.
> catch (Exception e) {
> log.error("Authentication failed with error: " +
> e.getMessage() +
> ", cause: " +
> e.getCause() );
> return false;
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (SSHD-102) Add error logging to
org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
Posted by "Guillaume Nodet (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SSHD-102?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Guillaume Nodet resolved SSHD-102.
----------------------------------
Resolution: Fixed
Fix Version/s: 0.6.0
Assignee: Guillaume Nodet
I've slightly changed the log to log the root cause exception, as if we have to log something, i'd rather log the whole cause and not miss any details.
Committing to https://svn.apache.org/repos/asf/mina/sshd/trunk ...
M sshd-core/src/main/java/org/apache/sshd/server/jaas/JaasPasswordAuthenticator.java
Committed r1050323
> Add error logging to org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
> -----------------------------------------------------------------------------------------
>
> Key: SSHD-102
> URL: https://issues.apache.org/jira/browse/SSHD-102
> Project: MINA SSHD
> Issue Type: Improvement
> Affects Versions: 0.4.0, 0.5.0
> Environment: sshd JAAS used with LDAP based authentication.
> Reporter: Torsten Mielke
> Assignee: Guillaume Nodet
> Fix For: 0.6.0
>
> Attachments: JaasPasswordAuthenticator.patch
>
>
> The JaasPasswordAuthenticator.authenticate() method currently silently ignores any exceptions being raised and simply returns false in case of any authentication erorrs.
> In environments where sshd is used in other frameworks like OSGi, it becomes very difficult to trouble shoot the reasons for the authentication failure.
> Rather than simply returning false, I propose to print a logging statement at the least.
> catch (Exception e) {
> log.error("Authentication failed with error: " +
> e.getMessage() +
> ", cause: " +
> e.getCause() );
> return false;
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SSHD-102) Add error logging to
org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
Posted by "Torsten Mielke (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SSHD-102?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Torsten Mielke updated SSHD-102:
--------------------------------
Attachment: (was: JaasPasswordAuthenticator.patch)
> Add error logging to org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
> -----------------------------------------------------------------------------------------
>
> Key: SSHD-102
> URL: https://issues.apache.org/jira/browse/SSHD-102
> Project: MINA SSHD
> Issue Type: Improvement
> Affects Versions: 0.4.0, 0.5.0
> Environment: sshd JAAS used with LDAP based authentication.
> Reporter: Torsten Mielke
> Attachments: JaasPasswordAuthenticator.patch
>
>
> The JaasPasswordAuthenticator.authenticate() method currently silently ignores any exceptions being raised and simply returns false in case of any authentication erorrs.
> In environments where sshd is used in other frameworks like OSGi, it becomes very difficult to trouble shoot the reasons for the authentication failure.
> Rather than simply returning false, I propose to print a logging statement at the least.
> catch (Exception e) {
> log.error("Authentication failed with error: " +
> e.getMessage() +
> ", cause: " +
> e.getCause() );
> return false;
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SSHD-102) Add error logging to
org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
Posted by "Guillaume Nodet (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SSHD-102?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12972380#action_12972380 ]
Guillaume Nodet commented on SSHD-102:
--------------------------------------
Ok, as long as the credentials can never appear in the log, i'm fine.
> Add error logging to org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
> -----------------------------------------------------------------------------------------
>
> Key: SSHD-102
> URL: https://issues.apache.org/jira/browse/SSHD-102
> Project: MINA SSHD
> Issue Type: Improvement
> Affects Versions: 0.4.0, 0.5.0
> Environment: sshd JAAS used with LDAP based authentication.
> Reporter: Torsten Mielke
> Attachments: JaasPasswordAuthenticator.patch
>
>
> The JaasPasswordAuthenticator.authenticate() method currently silently ignores any exceptions being raised and simply returns false in case of any authentication erorrs.
> In environments where sshd is used in other frameworks like OSGi, it becomes very difficult to trouble shoot the reasons for the authentication failure.
> Rather than simply returning false, I propose to print a logging statement at the least.
> catch (Exception e) {
> log.error("Authentication failed with error: " +
> e.getMessage() +
> ", cause: " +
> e.getCause() );
> return false;
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SSHD-102) Add error logging to
org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
Posted by "Guillaume Nodet (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SSHD-102?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12971630#action_12971630 ]
Guillaume Nodet commented on SSHD-102:
--------------------------------------
What I fear is that some sensitive informations such as passwords could end up in the log and that would be a big security issue.
> Add error logging to org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
> -----------------------------------------------------------------------------------------
>
> Key: SSHD-102
> URL: https://issues.apache.org/jira/browse/SSHD-102
> Project: MINA SSHD
> Issue Type: Improvement
> Affects Versions: 0.4.0, 0.5.0
> Environment: sshd JAAS used with LDAP based authentication.
> Reporter: Torsten Mielke
> Attachments: JaasPasswordAuthenticator.patch
>
>
> The JaasPasswordAuthenticator.authenticate() method currently silently ignores any exceptions being raised and simply returns false in case of any authentication erorrs.
> In environments where sshd is used in other frameworks like OSGi, it becomes very difficult to trouble shoot the reasons for the authentication failure.
> Rather than simply returning false, I propose to print a logging statement at the least.
> catch (Exception e) {
> log.error("Authentication failed with error: " +
> e.getMessage() +
> ", cause: " +
> e.getCause() );
> return false;
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SSHD-102) Add error logging to
org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
Posted by "Torsten Mielke (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SSHD-102?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Torsten Mielke updated SSHD-102:
--------------------------------
Attachment: JaasPasswordAuthenticator.patch
> Add error logging to org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
> -----------------------------------------------------------------------------------------
>
> Key: SSHD-102
> URL: https://issues.apache.org/jira/browse/SSHD-102
> Project: MINA SSHD
> Issue Type: Improvement
> Affects Versions: 0.4.0, 0.5.0
> Environment: sshd JAAS used with LDAP based authentication.
> Reporter: Torsten Mielke
> Attachments: JaasPasswordAuthenticator.patch
>
>
> The JaasPasswordAuthenticator.authenticate() method currently silently ignores any exceptions being raised and simply returns false in case of any authentication erorrs.
> In environments where sshd is used in other frameworks like OSGi, it becomes very difficult to trouble shoot the reasons for the authentication failure.
> Rather than simply returning false, I propose to print a logging statement at the least.
> catch (Exception e) {
> log.error("Authentication failed with error: " +
> e.getMessage() +
> ", cause: " +
> e.getCause() );
> return false;
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SSHD-102) Add error logging to
org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
Posted by "Torsten Mielke (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SSHD-102?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Torsten Mielke updated SSHD-102:
--------------------------------
Attachment: JaasPasswordAuthenticator.patch
Proposed patch added.
> Add error logging to org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
> -----------------------------------------------------------------------------------------
>
> Key: SSHD-102
> URL: https://issues.apache.org/jira/browse/SSHD-102
> Project: MINA SSHD
> Issue Type: Improvement
> Affects Versions: 0.4.0, 0.5.0
> Environment: sshd JAAS used with LDAP based authentication.
> Reporter: Torsten Mielke
> Attachments: JaasPasswordAuthenticator.patch
>
>
> The JaasPasswordAuthenticator.authenticate() method currently silently ignores any exceptions being raised and simply returns false in case of any authentication erorrs.
> In environments where sshd is used in other frameworks like OSGi, it becomes very difficult to trouble shoot the reasons for the authentication failure.
> Rather than simply returning false, I propose to print a logging statement at the least.
> catch (Exception e) {
> log.error("Authentication failed with " +
> e.getMessage() +
> ", cause: " +
> e.getCause() );
> return false;
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SSHD-102) Add error logging to
org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
Posted by "Torsten Mielke (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SSHD-102?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Torsten Mielke updated SSHD-102:
--------------------------------
Description:
The JaasPasswordAuthenticator.authenticate() method currently silently ignores any exceptions being raised and simply returns false in case of any authentication erorrs.
In environments where sshd is used in other frameworks like OSGi, it becomes very difficult to trouble shoot the reasons for the authentication failure.
Rather than simply returning false, I propose to print a logging statement at the least.
catch (Exception e) {
log.error("Authentication failed with " +
e.getMessage() +
", cause: " +
e.getCause() );
return false;
}
was:
The JaasPasswordAuthenticator.authenticate() method currently silently ignores any exceptions being raised and simply returns false in case of any authentication erorrs.
In environments where sshd is used in other frameworks like OSGi, it becomes very difficult to trouble shoot the reasons for the authentication failure.
Rather than simply returning false, I propose to print a logging statement at the least.
catch (Exception e) {
log.error("Authentication failed with " +
e.getMessage() +
"cause: " +
e.getCause() );
return false;
}
> Add error logging to org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
> -----------------------------------------------------------------------------------------
>
> Key: SSHD-102
> URL: https://issues.apache.org/jira/browse/SSHD-102
> Project: MINA SSHD
> Issue Type: Improvement
> Affects Versions: 0.4.0, 0.5.0
> Environment: sshd JAAS used with LDAP based authentication.
> Reporter: Torsten Mielke
> Attachments: JaasPasswordAuthenticator.patch
>
>
> The JaasPasswordAuthenticator.authenticate() method currently silently ignores any exceptions being raised and simply returns false in case of any authentication erorrs.
> In environments where sshd is used in other frameworks like OSGi, it becomes very difficult to trouble shoot the reasons for the authentication failure.
> Rather than simply returning false, I propose to print a logging statement at the least.
> catch (Exception e) {
> log.error("Authentication failed with " +
> e.getMessage() +
> ", cause: " +
> e.getCause() );
> return false;
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SSHD-102) Add error logging to
org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
Posted by "Torsten Mielke (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SSHD-102?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Torsten Mielke updated SSHD-102:
--------------------------------
Description:
The JaasPasswordAuthenticator.authenticate() method currently silently ignores any exceptions being raised and simply returns false in case of any authentication erorrs.
In environments where sshd is used in other frameworks like OSGi, it becomes very difficult to trouble shoot the reasons for the authentication failure.
Rather than simply returning false, I propose to print a logging statement at the least.
catch (Exception e) {
log.error("Authentication failed with error: " +
e.getMessage() +
", cause: " +
e.getCause() );
return false;
}
was:
The JaasPasswordAuthenticator.authenticate() method currently silently ignores any exceptions being raised and simply returns false in case of any authentication erorrs.
In environments where sshd is used in other frameworks like OSGi, it becomes very difficult to trouble shoot the reasons for the authentication failure.
Rather than simply returning false, I propose to print a logging statement at the least.
catch (Exception e) {
log.error("Authentication failed with " +
e.getMessage() +
", cause: " +
e.getCause() );
return false;
}
> Add error logging to org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
> -----------------------------------------------------------------------------------------
>
> Key: SSHD-102
> URL: https://issues.apache.org/jira/browse/SSHD-102
> Project: MINA SSHD
> Issue Type: Improvement
> Affects Versions: 0.4.0, 0.5.0
> Environment: sshd JAAS used with LDAP based authentication.
> Reporter: Torsten Mielke
> Attachments: JaasPasswordAuthenticator.patch
>
>
> The JaasPasswordAuthenticator.authenticate() method currently silently ignores any exceptions being raised and simply returns false in case of any authentication erorrs.
> In environments where sshd is used in other frameworks like OSGi, it becomes very difficult to trouble shoot the reasons for the authentication failure.
> Rather than simply returning false, I propose to print a logging statement at the least.
> catch (Exception e) {
> log.error("Authentication failed with error: " +
> e.getMessage() +
> ", cause: " +
> e.getCause() );
> return false;
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SSHD-102) Add error logging to
org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
Posted by "Torsten Mielke (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SSHD-102?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12971628#action_12971628 ]
Torsten Mielke commented on SSHD-102:
-------------------------------------
I specifically added e.getCause() to the logging statement as in my case I was hitting an error:
java.lang.NumberFormatException: For input string: "10389""
when specifying an LDAP server uri escaped in double quotes.
This real cause was only accessible when calling getCause() on the exception.
> Add error logging to org.apache.sshd.server.jaas.JaasPasswordAuthenticator.authenticate()
> -----------------------------------------------------------------------------------------
>
> Key: SSHD-102
> URL: https://issues.apache.org/jira/browse/SSHD-102
> Project: MINA SSHD
> Issue Type: Improvement
> Affects Versions: 0.4.0, 0.5.0
> Environment: sshd JAAS used with LDAP based authentication.
> Reporter: Torsten Mielke
> Attachments: JaasPasswordAuthenticator.patch
>
>
> The JaasPasswordAuthenticator.authenticate() method currently silently ignores any exceptions being raised and simply returns false in case of any authentication erorrs.
> In environments where sshd is used in other frameworks like OSGi, it becomes very difficult to trouble shoot the reasons for the authentication failure.
> Rather than simply returning false, I propose to print a logging statement at the least.
> catch (Exception e) {
> log.error("Authentication failed with " +
> e.getMessage() +
> ", cause: " +
> e.getCause() );
> return false;
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.