Cool. We may look at this, possibly adding more lines into the JAAS
login file, something like
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule
required
verifyInitCredsService=service/host@REALM
verifyInitCredsKeytab=service.ktab
};
We've always warned users that simply passing the Krb5LoginModule
doesn't mean anything and you should always uses this subject in JGSS
but not regarding itself as some kind of authenticity (say, use it in a
java policy file). This new function might change that.
Thanks
Max
On 03/11/2011 10:19 AM, cneberg wrote:
>> So it reads the user's secret key from a keytab and try to decrypt
the TGT to see if it can successfully get the session key inside
No, it uses the user's TGT to obtain a service ticket for a known valid
key in the keytab file (any valid service key would work usually
HOST/hostname keys, or HTTP/hostname keys are used). When you do a
successful kinit (AS request) you are validating that the user and the
KDC agree that the user's key was correct, but until you actually try to
use the TGT to get a service ticket for a known service you have not
validated that the KDC you are talking to is not spoofed. In other
words, if this extra step is not performed inside the Krb5LoginModule
then it is not secure for validating passwords. Doing this extra step
is standard in mod_auth_kerb, pam_krb5, etc. If it is not supported it
will require a change in the openjdk code.
-Christopher
On Thu, Mar 10, 2011 at 6:36 PM, Weijun Wang <[email protected]
<mailto:[email protected]>> wrote:
Hi Christopher
I'm not familiar with that function. So it reads the user's secret
key from a keytab and try to decrypt the TGT to see if it can
successfully get the session key inside?
This is a part of the Krb5LoginModule login process: it receives a
TGT from the KDC and use either the password or keytab (depending on
your JAAS config file) to decrypt it. After the commit() method is
called, the credentials (containing both the TGT and the session
key) are stored as private credentials in the JAAS subject.
All public methods we have around Kerberos are APIs defined in JAAS
and JGSS.
BTW, this mailing list is used to discuss the development of OpenJDK
security libraries itself. For API usage or general technical
support, it would be better to post a question in the forum. There
are much more experts on application programming there.
http://forums.oracle.com/forums/forum.jspa?forumID=963
Thanks
Max
On 03/11/2011 01:49 AM, cneberg wrote:
How do I get the com.sun.security.auth.module.Krb5LoginModule login
module to verify the TGT against a key in the keytab like is done in
krb5_verify_init_creds() which is part of C Krb5 API?
Notes on that API
http://www.daemon-systems.org/man/krb5_verify_init_creds.3.html
Thanks,
Christopher
