[Bug 1861883] Re: JAAS Krb5LoginModule authenticates wrong principal

[Andreas Ufert]

Bug is tracked here: https://bugs.openjdk.java.net/browse/JDK-8239385

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1861883

Title:
  JAAS Krb5LoginModule authenticates wrong principal

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-8/+bug/1861883/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1861883] Re: JAAS Krb5LoginModule authenticates wrong principal

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: openjdk-8 (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1861883

Title:
  JAAS Krb5LoginModule authenticates wrong principal

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-8/+bug/1861883/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1861883] Re: JAAS Krb5LoginModule authenticates wrong principal

[Andreas Ufert]

Problem can be reproduced using a minimal Example as follows:


# This is what we have:

user@host:~/work$ ls -al
total 20
drwxrwx--- 2 user user 4096 Feb 14 17:33 .
drwxr-xr-x 5 user user 4096 Feb 14 17:29 ..
-rw-rw 1 user user  942 Feb 14 17:29 KerberosDemo.java
-rw-rw 1 user user  101 Feb 13 13:13 jaas_cached.conf
-rw-rw 1 user user  276 Feb 13 13:24 jaas_keytab.conf


# it's a minimal example

user@host:~/work$ cat KerberosDemo.java 
import javax.security.auth.login.*;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosTicket;

public class KerberosDemo {
public static void main (String[] args) {
LoginContext loginContext = null;
try {
loginContext = new LoginContext("Demo");
}
catch (LoginException e) {
System.err.println("login context creation failed: 
"+e.getMessage());
System.exit(1);
}
try {
loginContext.login();
}
catch (LoginException e) {
System.out.println("authentication failed");
System.exit(1);
}
Subject subject = loginContext.getSubject();
System.out.println("Authenticated principal: " + 
subject.getPrincipals());
Set credentials = subject.getPrivateCredentials();
Iterator iterator = credentials.iterator();
KerberosTicket kt = (KerberosTicket) iterator.next();
System.out.println("Client name: " + kt.getClient());
}
}


# let's compile it

user@host:~/work$ javac KerberosDemo.java


# and use it either with a keytab (JAAS is getting the ticket) ...

user@host:~/work$ cat jaas_keytab.conf # use keytab!
Demo {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/security/keytabs/myprincipal.service.keytab"
storeKey=true
useTicketCache=false
serviceName="serviceprincipal"
principal="myprincipal/fqdn.example@example.com";
};


# ... or with a ticket gotten earlier by MIT Kerberos client (kinit)

user@host:~/work$ cat jaas_cached.conf # use cached!
Demo {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=false
useTicketCache=true;
};


# this is how the ticket was placed in the cache

user@host:~/work$ kinit -kt
/etc/security/keytabs/myprincipal.service.keytab
myprincipal/fqdn.example@example.com


# now, this is what happens with OpenJDK 1.8.0_232
# principal name and client name all refer to 
myprincipal/fqdn.example@example.com (in AD, this is the 
servicePrincipalName):

user@host:~/work$ java -version
openjdk version "1.8.0_232"
OpenJDK Runtime Environment (build 1.8.0_232-8u232-b09-0ubuntu1~18.04.1-b09)
OpenJDK 64-Bit Server VM (build 25.232-b09, mixed mode)
user@host:~/work$ java -Djava.security.auth.login.config=jaas_keytab.conf 
KerberosDemo
Authenticated principal: [myprincipal/fqdn.example@example.com]
Client name: myprincipal/fqdn.example@example.com
user@host:~/work$ java -Djava.security.auth.login.config=jaas_cached.conf 
KerberosDemo
Authenticated principal: [myprincipal/fqdn.example@example.com]
Client name: myprincipal/fqdn.example@example.com


# while this is what we see with OpenJDK 1.8.0_242
# while for the cached ticket the results are the same, for the ticket gotten 
by JAAS the names differ!!!
# Note: $V9H200-TAD2F4IK2G09 is the sAMAccountName of the AD user with 
servicePrincipalName myprincipal/fqdn.example@example.com

user@host:~/work$ java -version
openjdk version "1.8.0_242"
OpenJDK Runtime Environment (build 1.8.0_242-8u242-b08-0ubuntu3~18.04-b08)
OpenJDK 64-Bit Server VM (build 25.242-b08, mixed mode)
user@host:~/work$ java -Djava.security.auth.login.config=jaas_keytab.conf 
KerberosDemo
Authenticated principal: [myprincipal/fqdn.example@example.com]
Client name: $v9h200-tad2f4ik2...@example.com
user@host:~/work$ java -Djava.security.auth.login.config=jaas_cached.conf 
KerberosDemo
Authenticated principal: [myprincipal/fqdn.example@example.com]
Client name: myprincipal/fqdn.example@example.com

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1861883

Title:
  JAAS Krb5LoginModule authenticates wrong principal

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-8/+bug/1861883/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs