RFR 8132111: Do not request for addresses for forwarded TGT

Sean Mullan sean.mullan at oracle.com
Thu Jul 30 13:07:57 UTC 2015


This seems ok to me. I think we should also document this behavior if it 
isn't already (maybe in one of the security guides), so could you file a 
followon docs bug?

Thanks,
Sean

On 07/21/2015 11:22 PM, Weijun Wang wrote:
> Hi All
>
> Please review the code change at
>
>     http://cr.openjdk.java.net/~weijun/8132111/webrev.00/
>
> Java Kerberos was designed to provide the addresses of a service when
> requesting for a forwarded TGT. However, the field was never filled,
> because of a bug that the service principal does not have the
> KRB_NT_SRV_HST nameType. (It has always been KRB_NT_UNKNOWN).
>
> In JDK-8031111, we "fixed" this and the addresses field is now always sent.
>
> However, it is well known in the Kerberos community that it's difficult
> to get the correct addresses. For example, the service and the client
> might be inside a NAT but the KDC is not. If the addresses observed by
> the client and the KDC are different, such a ticket will be rejected
> when the service is trying to use it.
>
> For this reason, other krb5 vendors do not use the addresses field in a
> forwarded TGT request. We will remove it in this fix. This is also the
> actual behavior of Java before JDK-8031111.
>
> Thanks
> Max


More information about the security-dev mailing list