OpenJDK 8u302 - Kerberos - Allow non-forwardable S4U2Self ticket

Tue Aug 10 16:20:06 UTC 2021

Hi Martin,

This is not a JDK8u specific issue. There is a bug for this issue against upstream : https://bugs.openjdk.java.net/browse/JDK-8272162

Regards
Alexey

> On 10 Aug 2021, at 19:08, Martin Balao <mbalao at redhat.com> wrote:
> 
> Hi Vipul,
> 
> Thanks for raising this issue.
> 
> Let me ask you a few questions:
> 
> 1) Is this JDK-8 specific? Otherwise, we need to forward it to the
> security-dev list.
> 
> 2) The enforcement of forwardable S4U2Self tickets was previous to
> JDK-8005819. In fact, it was introduced as part of JDK-8022582 [1]. Does
> JDK-8005819 change anything in this regard? (i.e. enabled something new
> that was not possible before, etc.)
> 
> 3) Re-introducing the behavior of forwarding non-forwardable tickets in
> OpenJDK's client when it has not been there for quite some time would
> require a strong reason, even under a non-default flag. I'd appreciate
> if you can point me to protocol documentation to back that up. This is
> different than allowing such behavior for backward-compatibility reasons
> as a result of a recent or new change -possibly under a non-default
> flag-. In addition, if there is any other Krb client that documents or
> implements this behavior it would be good to know. At first glance looks
> counter-intuitive and even a security weakness to forward
> non-forwardable tickets from the client-side.
> 
> I'm CC'ing @Max to this email as he might have more insights on this.
> 
> Regards,
> Martin.-
> 
> --
> [1] - http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/ae6449bc523f#l3.17
> 
> 
> 
> On 7/30/21 6:04 AM, Vipul Mehta wrote:
>> Hi,
>> 
>> Resource based constrained delegation support was added to JDK via
>> following fix: https://bugs.openjdk.java.net/browse/JDK-8005819
>> 
>> This change does not allow S4U2Self ticket issued by KDC to be
>> non-forwardable, as
>> sun.security.krb5.internal.CredentialsUtil -> acquireS4U2selfCreds() ->
>> line 105 throws exception.
>> 
>> Resource based constrained delegation S4U2Proxy will work even without a
>> non forwardable S4U2Self ticket if KDC is configured to accept such a
>> ticket. So, Java should let KDC decide whether to accept or reject such a
>> ticket.
>> 
>> S4U2Self ticket will be marked as forwardable by microsoft KDC in following
>> cases:
>> 1) trustedToAuthForDelegation is true
>> 2) trustedToAuthForDelegation is false and msDs-AllowedToDelegateTo list is
>> empty.
>> 
>> If trustedToAuthForDelegation is false and msDs-AllowedToDelegateTo list is
>> non-empty then S4U2Self ticket will not have a forwardable flag.
>> 
>> The S4U2Self ticket is used in S4U2Proxy TGS-Request.
>> If S4U2Self ticket is not forwardable then S4U2Proxy will work in following
>> cases of single realm resource based constrained delegation:
>> 
>> 1) Patch for CVE-2020-16996 is not applied in KDC.
>> 2) Patch for CVE-2020-16996 is applied in KDC and registry entry -
>> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc\NonForwardableDelegation
>> is set to 1. (DWORD type)
>> 
> 