Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6942448

krb5 cannot detect name case error without preauth

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: P4 P4
    • None
    • 7
    • security-libs
    • None

      The account name is used as salt in generating keys in Kerberos. If the client provides a case-insensitive account name (say, dummy -> DUMMY) at login time, the server informs the client the correct salt so that the login still works fine.

      There are two channels for the correct salt to be sent to client:

      1. In KRB-ERROR to the first AS-REQ, if preauth is required but not sent
      2. In AS-REP to the first (or second) AS-REQ

      Currently Java supports the 1st one, which means, if the server has turned preauth requirement for a client off, the client cannot decoded the correct salt, and generates a wrong key, which results in a "KrbException: Integrity check on decrypted field failed (31)".

      We need to support the 2nd option as well. In fact, that is the recommended option in RFC 4120. In the following section, we can see the KRB-ERROR is used to provide enctype info, and AS-REP used for salt info.

      5.2.7.5. PA-ETYPE-INFO2

         The ETYPE-INFO2 pre-authentication type is sent by the KDC in a
         KRB-ERROR indicating a requirement for additional pre-authentication.
         It is usually used to notify a client of which key to use for the
         encryption of an encrypted timestamp for the purposes of sending a
         PA-ENC-TIMESTAMP pre-authentication value. It MAY also be sent in an
         AS-REP to provide information to the client about which key salt to
         use for the string-to-key to be used by the client to obtain the key
         for decrypting the encrypted part the AS-REP.

      Besides PA-ETYPE-INFO2, PA-ETYEPE-INFO and PA-PW-SALT can also be used in suggesting correct salt.

            weijun Weijun Wang
            weijun Weijun Wang
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: