-
Bug
-
Resolution: Duplicate
-
P3
-
None
-
1.4.2, 5.0
-
x86
-
linux
FULL PRODUCT VERSION :
java version "1.4.2_08"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_08-b03)
Java HotSpot(TM) Client VM (build 1.4.2_08-b03, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Scientific Linux 3.0.4, Debian Linux 3.0
A DESCRIPTION OF THE PROBLEM :
The 'kinit' binary in the J2RE and J2SDk distributions echos the password:
prompt> $JAVA_HOME/bin/kinit
Password for ###@###.###:password
The password should not be visible on the screen, when entered by the user.
There are other alternative 'kinit' utilities, so normally this bug does not have any impact on using Kerberos. However, if a developer or a user chooses to put the $JAVA_HOME/bin directory at the beginning of the PATH, then the behaviour of the utility weakens security, by making a user password visible.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
$JAVA_HOME/bin/kinit
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The entered password would not be visible on the screen.
ACTUAL -
The password was visible on the screen.
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
stty -echo
$JAVA_HOME/bin/kinit
stty echo
###@###.### 2005-05-13 08:28:42 GMT
java version "1.4.2_08"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_08-b03)
Java HotSpot(TM) Client VM (build 1.4.2_08-b03, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Scientific Linux 3.0.4, Debian Linux 3.0
A DESCRIPTION OF THE PROBLEM :
The 'kinit' binary in the J2RE and J2SDk distributions echos the password:
prompt> $JAVA_HOME/bin/kinit
Password for ###@###.###:password
The password should not be visible on the screen, when entered by the user.
There are other alternative 'kinit' utilities, so normally this bug does not have any impact on using Kerberos. However, if a developer or a user chooses to put the $JAVA_HOME/bin directory at the beginning of the PATH, then the behaviour of the utility weakens security, by making a user password visible.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
$JAVA_HOME/bin/kinit
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The entered password would not be visible on the screen.
ACTUAL -
The password was visible on the screen.
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
stty -echo
$JAVA_HOME/bin/kinit
stty echo
###@###.### 2005-05-13 08:28:42 GMT
- duplicates
-
-
- Resolved
-