RFR 8132111: Do not request for addresses for forwarded TGT
Weijun Wang
weijun.wang at oracle.com
Wed Jul 22 03:22:46 UTC 2015
Hi All
Please review the code change at
http://cr.openjdk.java.net/~weijun/8132111/webrev.00/
Java Kerberos was designed to provide the addresses of a service when
requesting for a forwarded TGT. However, the field was never filled,
because of a bug that the service principal does not have the
KRB_NT_SRV_HST nameType. (It has always been KRB_NT_UNKNOWN).
In JDK-8031111, we "fixed" this and the addresses field is now always sent.
However, it is well known in the Kerberos community that it's difficult
to get the correct addresses. For example, the service and the client
might be inside a NAT but the KDC is not. If the addresses observed by
the client and the KDC are different, such a ticket will be rejected
when the service is trying to use it.
For this reason, other krb5 vendors do not use the addresses field in a
forwarded TGT request. We will remove it in this fix. This is also the
actual behavior of Java before JDK-8031111.
Thanks
Max
More information about the security-dev
mailing list