code review request: 7061379: [Kerberos] Cross-realm authentication fails, due to nameType problemThe

Valerie (Yu-Ching) Peng valerie.peng at oracle.com
Wed Aug 3 21:48:15 UTC 2011 

The changes look good to me.
Thanks,
Valerie

On 07/06/11 18:10, Weijun Wang wrote:
> Hi Valerie
>
> http://cr.openjdk.java.net/~weijun/7061379/webrev.00/
>
> The bug report says the TGS-REQ "asks for a KRB_NT_SRV_INST type 
> whereas the kdc answers with a KRB_NT_PRINCIPAL type. Thus, 
> equalsWithoutRealm function fails and authentication is refused". The 
> KDC's behavior is a little abnormal but RFC 4120 6.2 [1] does point out:
>
>    ... The name-type SHOULD be
>    treated only as a hint to interpreting the meaning of a name.  It is
>    not significant when checking for equivalence.
>
> So I remove the name-type check in 
> PrincipalName.equalsWithoutRsealm(). This also makes equals() 
> transitive, which is good. The hashCode() method has never been 
> dependent on the name-type, so there is no need to update it.
>
> The regression test introduced a new KDC option to set name-type for 
> sname in a KDC-REP to be an arbitrary value, in order to prove it is 
> now ignored in "checking for equivalence".
>
> Thanks
> Max
>
> [1] http://tools.ietf.org/html/rfc4120#section-6.2
>
> -------- Original Message --------
> *Change Request ID*: 7061379
> *Synopsis*: [Kerberos] Cross-realm authentication fails, due to 
> nameType problem
>
>
> === *Description* 
> ============================================================
> FULL PRODUCT VERSION :
> Java HotSpot(TM) 64-Bit Server VM (build 14.1-b02, mixed mode)
>
> /!\ same bug with open jdk 1.7
>
> ADDITIONAL OS VERSION INFORMATION :
> Linux x86_64 Intel(R) Xeon(R) CPU L5520  @ 2.27GHz GNU/Linux
>
> EXTRA RELEVANT SYSTEM CONFIGURATION :
> /!\ same bug with open jdk 1.7
>
> A DESCRIPTION OF THE PROBLEM :
> Authentication to remote server fails. Error doesn't appear in the 
> logs but the debugger points out the following error:
>
> KRB_AP_ERR_MODIFIED (erreur 41) Message stream modified
> in sun.security.krb5.KrbKdcRep class, line 56
>
> Cross-realm authentication to one remote service is processed in
> sun.security.krb5.internal.CredentialsUtil class.
> It consists in the obtention of a token for the krbtgt/REALM1 at REALM2 
> principal.
>
> Function acquireServiceCreds() negotiates with the kdc, by throwing 
> requests and receiving responses. equalsWithoutRealm() function is 
> called.
>
> The function equalsWithoutRealm() in sun.security.krb5.PrincipalName 
> checks the conformity between principal asked in request and principal 
> obtained in response.
> However, there is a type mismatch between the two krbtgt principals: 
> request asks for a KRB_NT_SRV_INST type whereas the kdc answers with a 
> KRB_NT_PRINCIPAL type. Thus, equalsWithoutRealm function fails and 
> authentication is refused.
>
>
> STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
> Try to access from one realm to whatever remote 'kerberized' service.
> For example: GSSAPI and JNDI for remote LDAP server.
>
> EXPECTED VERSUS ACTUAL BEHAVIOR :
> EXPECTED -
> Expected result: successful authentication with remote service access.
> ACTUAL -
> Error is caught but not reported in system.out, and remote 
> authentication fails.
>
> ERROR MESSAGES/STACK TRACES THAT OCCUR :
> KRB_AP_ERR_MODIFIED (erreur 41) Message stream modified
> in sun.security.krb5.KrbKdcRep class, line 56
>
> is reached but never thrown to the logs.
>
> REPRODUCIBILITY :
> This bug can be reproduced always.
>
> CUSTOMER SUBMITTED WORKAROUND :
> Modifying the acquireServiceCreds() function solves the problem. But 
> maybe the best solution is to change the request for a cross-realm 
> krbtgt.
>
> Line 134 in CredentialsUtil.java:
>
> for (cTgt = ccreds, i = 0; i < realms.length;)
>         {
> //            tempService = new 
> ServiceName(PrincipalName.TGS_DEFAULT_SRV_NAME,
> //                                          serviceRealm, realms[i]);
>             if (!localRealm.equalsIgnoreCase(serviceRealm)) { //do 
> cross-realm authentication
>                 if (DEBUG) {
>                     System.out.println(">>>DEBUG: Credentails request 
> cross realm ticket for " + "krbtgt/" + serviceRealm + "@" + localRealm);
>                 }
>                 tempService = new ServiceName("krbtgt/" + serviceRealm 
> + "@" + realms[i]);
>             }else{
>                 tempService = new 
> ServiceName(PrincipalName.TGS_DEFAULT_SRV_NAME,
>                         serviceRealm, realms[i]);
>             }
>
>             if (DEBUG)
>             {
>                 System.out.println(">>> Credentials 
> acquireServiceCreds: main loop: [" + i +"] tempService=" + tempService);
>             }
> ...
> ...
> ...
>
> SUPPORT :
> YES
>

More information about the security-dev mailing list