-
Bug
-
Resolution: Not an Issue
-
P3
-
None
-
6
-
None
-
sparc
-
solaris_10
Steps to reproduce it:
1. get the sample code from: http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/ClientServer.html ,
or download the sample code from bugster, I attached the sample code.
2. Run test code with the original csLogin.conf.
----- csLogin.conf --------
SampleClient {
com.sun.security.auth.module.Krb5LoginModule required;
};
SampleServer {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true principal="###@###.###";
};
-----------------------------
If download the code from bugster, run it on lunarorbit.sfbay.
#sh ss ( on server terminal)
#sh cc ( on another client terminal)
Test will run successfully.
3. Change jaas configuration file, add " useKeyTab=true keyTab=<keytab> ".
------ csLogin.conf -------
SampleClient {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
};
SampleServer {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true principal="###@###.###y
.Sun.COM" useKeyTab=true keyTab="/etc/krb5/krb5.keytab" ;
};
-----------------------------
4. Add service principal into keytab file.
kadmin.local:ktadd -k /etc/krb5/krb5.keytab sampleServer
#chmod a+r /etc/krb5/krb5.keytab
Run test again, test will fail. please see the following error:
bash-3.00$ sh ss
Kerberos password for ###@###.###: bogus
Unexpected Exception - unable to continue
javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31) - Decrypt integrity check failed
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:652)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at Login.main(Login.java:136)
Caused by: KrbException: Integrity check on decrypted field failed (31) - Decrypt integrity check failed
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:67)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:345)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:370)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:642)
... 12 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
###@###.### 2005-07-08 08:27:56 GMT
###@###.### 2005-07-08 08:43:48 GMT
1. get the sample code from: http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/ClientServer.html ,
or download the sample code from bugster, I attached the sample code.
2. Run test code with the original csLogin.conf.
----- csLogin.conf --------
SampleClient {
com.sun.security.auth.module.Krb5LoginModule required;
};
SampleServer {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true principal="###@###.###";
};
-----------------------------
If download the code from bugster, run it on lunarorbit.sfbay.
#sh ss ( on server terminal)
#sh cc ( on another client terminal)
Test will run successfully.
3. Change jaas configuration file, add " useKeyTab=true keyTab=<keytab> ".
------ csLogin.conf -------
SampleClient {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
};
SampleServer {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true principal="###@###.###y
.Sun.COM" useKeyTab=true keyTab="/etc/krb5/krb5.keytab" ;
};
-----------------------------
4. Add service principal into keytab file.
kadmin.local:ktadd -k /etc/krb5/krb5.keytab sampleServer
#chmod a+r /etc/krb5/krb5.keytab
Run test again, test will fail. please see the following error:
bash-3.00$ sh ss
Kerberos password for ###@###.###: bogus
Unexpected Exception - unable to continue
javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31) - Decrypt integrity check failed
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:652)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at Login.main(Login.java:136)
Caused by: KrbException: Integrity check on decrypted field failed (31) - Decrypt integrity check failed
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:67)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:345)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:370)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:642)
... 12 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
###@###.### 2005-07-08 08:27:56 GMT
###@###.### 2005-07-08 08:43:48 GMT