OpenJDK 8u302 - Kerberos - Allow non-forwardable S4U2Self ticket

Tue Aug 10 16:47:36 UTC 2021

Hi,

https://bugs.openjdk.java.net/browse/JDK-8272162: This bus has been raised
after I contacted Azul JDK developers regarding this issue w.r.t behavior.

I have discussed this with MIT Kerberos library developers and according to
them the forwardable flag on S4U2Self ticket should not be checked by the
client. If KDC does not accept such a ticket it will fail the request with
an error code.
https://www.mail-archive.com/kerberos@mit.edu/msg23234.html

On Tue, Aug 10, 2021 at 9:50 PM Alexey Bakhtin <alexey at azul.com> wrote:

> Hi Martin,
>
> This is not a JDK8u specific issue. There is a bug for this issue against
> upstream : https://bugs.openjdk.java.net/browse/JDK-8272162
>
> Regards
> Alexey
>
> > On 10 Aug 2021, at 19:08, Martin Balao <mbalao at redhat.com> wrote:
> >
> > Hi Vipul,
> >
> > Thanks for raising this issue.
> >
> > Let me ask you a few questions:
> >
> > 1) Is this JDK-8 specific? Otherwise, we need to forward it to the
> > security-dev list.
> >
> > 2) The enforcement of forwardable S4U2Self tickets was previous to
> > JDK-8005819. In fact, it was introduced as part of JDK-8022582 [1]. Does
> > JDK-8005819 change anything in this regard? (i.e. enabled something new
> > that was not possible before, etc.)
> >
> > 3) Re-introducing the behavior of forwarding non-forwardable tickets in
> > OpenJDK's client when it has not been there for quite some time would
> > require a strong reason, even under a non-default flag. I'd appreciate
> > if you can point me to protocol documentation to back that up. This is
> > different than allowing such behavior for backward-compatibility reasons
> > as a result of a recent or new change -possibly under a non-default
> > flag-. In addition, if there is any other Krb client that documents or
> > implements this behavior it would be good to know. At first glance looks
> > counter-intuitive and even a security weakness to forward
> > non-forwardable tickets from the client-side.
> >
> > I'm CC'ing @Max to this email as he might have more insights on this.
> >
> > Regards,
> > Martin.-
> >
> > --
> > [1] - http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/ae6449bc523f#l3.17
> >
> >
> >
> > On 7/30/21 6:04 AM, Vipul Mehta wrote:
> >> Hi,
> >>
> >> Resource based constrained delegation support was added to JDK via
> >> following fix: https://bugs.openjdk.java.net/browse/JDK-8005819
> >>
> >> This change does not allow S4U2Self ticket issued by KDC to be
> >> non-forwardable, as
> >> sun.security.krb5.internal.CredentialsUtil -> acquireS4U2selfCreds() ->
> >> line 105 throws exception.
> >>
> >> Resource based constrained delegation S4U2Proxy will work even without a
> >> non forwardable S4U2Self ticket if KDC is configured to accept such a
> >> ticket. So, Java should let KDC decide whether to accept or reject such
> a
> >> ticket.
> >>
> >> S4U2Self ticket will be marked as forwardable by microsoft KDC in
> following
> >> cases:
> >> 1) trustedToAuthForDelegation is true
> >> 2) trustedToAuthForDelegation is false and msDs-AllowedToDelegateTo
> list is
> >> empty.
> >>
> >> If trustedToAuthForDelegation is false and msDs-AllowedToDelegateTo
> list is
> >> non-empty then S4U2Self ticket will not have a forwardable flag.
> >>
> >> The S4U2Self ticket is used in S4U2Proxy TGS-Request.
> >> If S4U2Self ticket is not forwardable then S4U2Proxy will work in
> following
> >> cases of single realm resource based constrained delegation:
> >>
> >> 1) Patch for CVE-2020-16996 is not applied in KDC.
> >> 2) Patch for CVE-2020-16996 is applied in KDC and registry entry -
> >>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc\NonForwardableDelegation
> >> is set to 1. (DWORD type)
> >>
> >
>
>

-- 
Regards,
Vipul