Details
-
Bug
-
Resolution: Duplicate
-
P4
-
None
-
7
-
None
-
generic
-
generic
Description
In kerberos, an account uses a salt to create a secret from a password. Normally this salt is simply the flat form of the PrincipalName string, but can also be any other value. The value can be obtained from the server's error response after the initial AS-REQ.
Currently, after we receive this new salt, it's put inside a PrincipalName object as the new default value. However, there are some problems here:
1. A KDC error response can contain multiple new salt values for each encryption time. Although for each KDC product out there they are the same, but theoretically they can be different. Therefore there's no single value that can be saved back into PrincipalName
2. The only usage for this new salt is for the second AS-REQ message. After the TGT is received, password is forgotten and salt becomes useless. There's no need to permanently save it into the PrincipalName
3. If preauth is required, there are always two AS-REQ messages needed, the caching of salt does not make the process any simpler.
Currently, after we receive this new salt, it's put inside a PrincipalName object as the new default value. However, there are some problems here:
1. A KDC error response can contain multiple new salt values for each encryption time. Although for each KDC product out there they are the same, but theoretically they can be different. Therefore there's no single value that can be saved back into PrincipalName
2. The only usage for this new salt is for the second AS-REQ message. After the TGT is received, password is forgotten and salt becomes useless. There's no need to permanently save it into the PrincipalName
3. If preauth is required, there are always two AS-REQ messages needed, the caching of salt does not make the process any simpler.
Attachments
Issue Links
- duplicates
-
JDK-6960894 Better AS-REQ creation and processing
-
- Closed
-
- relates to
-
-
- Closed
-