OpenJDK 8u302 - Kerberos - Allow non-forwardable S4U2Self ticket

Wei-Jun Wang weijun.wang at oracle.com
Wed Aug 11 02:14:12 UTC 2021 

If I remember correctly, the check was added because I thought the ticket will not be accepted by the KDC and there’s no need sending it.

But here the problem becomes more complicated because some kinds of KDC (WIN2012) and some do not. See JBS comments between Alexey and me.

—Max


> On Aug 10, 2021, at 12:47 PM, Vipul Mehta <vipulmehta.1989 at gmail.com> wrote:
> 
> Hi,
> 
> https://bugs.openjdk.java.net/browse/JDK-8272162: This bus has been raised after I contacted Azul JDK developers regarding this issue w.r.t behavior. 
> 
> I have discussed this with MIT Kerberos library developers and according to them the forwardable flag on S4U2Self ticket should not be checked by the client. If KDC does not accept such a ticket it will fail the request with an error code. 
> https://www.mail-archive.com/kerberos@mit.edu/msg23234.html
> 
> 
> On Tue, Aug 10, 2021 at 9:50 PM Alexey Bakhtin <alexey at azul.com> wrote:
> Hi Martin,
> 
> This is not a JDK8u specific issue. There is a bug for this issue against upstream : https://bugs.openjdk.java.net/browse/JDK-8272162
> 
> Regards
> Alexey
> 
> > On 10 Aug 2021, at 19:08, Martin Balao <mbalao at redhat.com> wrote:
> > 
> > Hi Vipul,
> > 
> > Thanks for raising this issue.
> > 
> > Let me ask you a few questions:
> > 
> > 1) Is this JDK-8 specific? Otherwise, we need to forward it to the
> > security-dev list.
> > 
> > 2) The enforcement of forwardable S4U2Self tickets was previous to
> > JDK-8005819. In fact, it was introduced as part of JDK-8022582 [1]. Does
> > JDK-8005819 change anything in this regard? (i.e. enabled something new
> > that was not possible before, etc.)
> > 
> > 3) Re-introducing the behavior of forwarding non-forwardable tickets in
> > OpenJDK's client when it has not been there for quite some time would
> > require a strong reason, even under a non-default flag. I'd appreciate
> > if you can point me to protocol documentation to back that up. This is
> > different than allowing such behavior for backward-compatibility reasons
> > as a result of a recent or new change -possibly under a non-default
> > flag-. In addition, if there is any other Krb client that documents or
> > implements this behavior it would be good to know. At first glance looks
> > counter-intuitive and even a security weakness to forward
> > non-forwardable tickets from the client-side.
> > 
> > I'm CC'ing @Max to this email as he might have more insights on this.
> > 
> > Regards,
> > Martin.-
> > 
> > --
> > [1] - http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/ae6449bc523f#l3.17
> > 
> > 
> > 
> > On 7/30/21 6:04 AM, Vipul Mehta wrote:
> >> Hi,
> >> 
> >> Resource based constrained delegation support was added to JDK via
> >> following fix: https://bugs.openjdk.java.net/browse/JDK-8005819
> >> 
> >> This change does not allow S4U2Self ticket issued by KDC to be
> >> non-forwardable, as
> >> sun.security.krb5.internal.CredentialsUtil -> acquireS4U2selfCreds() ->
> >> line 105 throws exception.
> >> 
> >> Resource based constrained delegation S4U2Proxy will work even without a
> >> non forwardable S4U2Self ticket if KDC is configured to accept such a
> >> ticket. So, Java should let KDC decide whether to accept or reject such a
> >> ticket.
> >> 
> >> S4U2Self ticket will be marked as forwardable by microsoft KDC in following
> >> cases:
> >> 1) trustedToAuthForDelegation is true
> >> 2) trustedToAuthForDelegation is false and msDs-AllowedToDelegateTo list is
> >> empty.
> >> 
> >> If trustedToAuthForDelegation is false and msDs-AllowedToDelegateTo list is
> >> non-empty then S4U2Self ticket will not have a forwardable flag.
> >> 
> >> The S4U2Self ticket is used in S4U2Proxy TGS-Request.
> >> If S4U2Self ticket is not forwardable then S4U2Proxy will work in following
> >> cases of single realm resource based constrained delegation:
> >> 
> >> 1) Patch for CVE-2020-16996 is not applied in KDC.
> >> 2) Patch for CVE-2020-16996 is applied in KDC and registry entry -
> >> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc\NonForwardableDelegation
> >> is set to 1. (DWORD type)
> >> 
> > 
> 
> 
> 
> -- 
> Regards,
> Vipul

More information about the jdk8u-dev mailing list