OpenJDK 8u302 - Kerberos - Allow non-forwardable S4U2Self ticket

Martin Balao mbalao at redhat.com
Tue Aug 10 16:08:50 UTC 2021


Hi Vipul,

Thanks for raising this issue.

Let me ask you a few questions:

1) Is this JDK-8 specific? Otherwise, we need to forward it to the
security-dev list.

2) The enforcement of forwardable S4U2Self tickets was previous to
JDK-8005819. In fact, it was introduced as part of JDK-8022582 [1]. Does
JDK-8005819 change anything in this regard? (i.e. enabled something new
that was not possible before, etc.)

3) Re-introducing the behavior of forwarding non-forwardable tickets in
OpenJDK's client when it has not been there for quite some time would
require a strong reason, even under a non-default flag. I'd appreciate
if you can point me to protocol documentation to back that up. This is
different than allowing such behavior for backward-compatibility reasons
as a result of a recent or new change -possibly under a non-default
flag-. In addition, if there is any other Krb client that documents or
implements this behavior it would be good to know. At first glance looks
counter-intuitive and even a security weakness to forward
non-forwardable tickets from the client-side.

I'm CC'ing @Max to this email as he might have more insights on this.

Regards,
Martin.-

--
[1] - http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/ae6449bc523f#l3.17



On 7/30/21 6:04 AM, Vipul Mehta wrote:
> Hi,
> 
> Resource based constrained delegation support was added to JDK via
> following fix: https://bugs.openjdk.java.net/browse/JDK-8005819
> 
> This change does not allow S4U2Self ticket issued by KDC to be
> non-forwardable, as
> sun.security.krb5.internal.CredentialsUtil -> acquireS4U2selfCreds() ->
> line 105 throws exception.
> 
> Resource based constrained delegation S4U2Proxy will work even without a
> non forwardable S4U2Self ticket if KDC is configured to accept such a
> ticket. So, Java should let KDC decide whether to accept or reject such a
> ticket.
> 
> S4U2Self ticket will be marked as forwardable by microsoft KDC in following
> cases:
> 1) trustedToAuthForDelegation is true
> 2) trustedToAuthForDelegation is false and msDs-AllowedToDelegateTo list is
> empty.
> 
> If trustedToAuthForDelegation is false and msDs-AllowedToDelegateTo list is
> non-empty then S4U2Self ticket will not have a forwardable flag.
> 
> The S4U2Self ticket is used in S4U2Proxy TGS-Request.
> If S4U2Self ticket is not forwardable then S4U2Proxy will work in following
> cases of single realm resource based constrained delegation:
> 
> 1) Patch for CVE-2020-16996 is not applied in KDC.
> 2) Patch for CVE-2020-16996 is applied in KDC and registry entry -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc\NonForwardableDelegation
> is set to 1. (DWORD type)
> 



More information about the jdk8u-dev mailing list