[Bug] javax.security.auth.kerberos.KeyTab returns unrequested keys

[Osipov, Michael (IN IT IN)]

On 2024-05-09 00:13, Wei-Jun Wang wrote:
> Hi Michael,
> 
> I've filed https://bugs.openjdk.org/browse/JDK-8331975. I plan to introduce a system property to control the string comparison mode.
> 
> In my earlier reply I mentioned fixing keytab entry lookup no matter how the comparison is done. I did some evaluation and the code change will be quite big. The lookup of a long term service key is now divided in 2 steps: first find the keys for the service, and then pinpoint the key with the correct kvno and the etype. Unfortunately the name info is lost after the 1st step. In order to do a case-sensitive preferred 2nd step search, the name has to be retained. Also, if a vendor goes case-insensitive, in theory there is a probability that between the 2 entries in the keytab actually the one that has a different case is the right one! Who knows.
> 
> Therefore I decide not to implement this part and only rely on the system property. If a program wants to work with a case-sensitive KDC that really has service names only differ in case, please just turn this system property on.

I'd just like to add one more thing the matter how MIT Kerberos behaves:
> # klist -kte | grep \\$
>    2 01/31/19 11:03:22 DEBLNDW011X$@AD001.SIEMENS.NET (DEPRECATED:des-cbc-crc)
>    2 01/31/19 11:03:22 DEBLNDW011X$@AD001.SIEMENS.NET (DEPRECATED:des-cbc-md5)
>    2 01/31/19 11:03:22 DEBLNDW011X$@AD001.SIEMENS.NET (aes128-cts-hmac-sha1-96)
>    2 01/31/19 11:03:22 DEBLNDW011X$@AD001.SIEMENS.NET (aes256-cts-hmac-sha1-96)
>    2 01/31/19 11:03:22 DEBLNDW011X$@AD001.SIEMENS.NET (DEPRECATED:arcfour-hmac)

> # kinit -k deblndw011x\$
> kinit: Keytab contains no suitable keys for deblndw011x$@AD001.SIEMENS.NET while getting initial credentials

> # kinit -k DEBLNDW011X\$
> # echo $?
> 0

So MIT Kerberos seems to behave according to the RFC.

Michael