-
Bug
-
Resolution: Duplicate
-
P4
-
None
-
7
-
None
-
generic
-
generic
The account name is used as salt in generating keys in Kerberos. If the client provides a case-insensitive account name (say, dummy -> DUMMY) at login time, the server informs the client the correct salt so that the login still works fine.
There are two channels for the correct salt to be sent to client:
1. In KRB-ERROR to the first AS-REQ, if preauth is required but not sent
2. In AS-REP to the first (or second) AS-REQ
Currently Java supports the 1st one, which means, if the server has turned preauth requirement for a client off, the client cannot decoded the correct salt, and generates a wrong key, which results in a "KrbException: Integrity check on decrypted field failed (31)".
We need to support the 2nd option as well. In fact, that is the recommended option in RFC 4120. In the following section, we can see the KRB-ERROR is used to provide enctype info, and AS-REP used for salt info.
5.2.7.5. PA-ETYPE-INFO2
The ETYPE-INFO2 pre-authentication type is sent by the KDC in a
KRB-ERROR indicating a requirement for additional pre-authentication.
It is usually used to notify a client of which key to use for the
encryption of an encrypted timestamp for the purposes of sending a
PA-ENC-TIMESTAMP pre-authentication value. It MAY also be sent in an
AS-REP to provide information to the client about which key salt to
use for the string-to-key to be used by the client to obtain the key
for decrypting the encrypted part the AS-REP.
Besides PA-ETYPE-INFO2, PA-ETYEPE-INFO and PA-PW-SALT can also be used in suggesting correct salt.
There are two channels for the correct salt to be sent to client:
1. In KRB-ERROR to the first AS-REQ, if preauth is required but not sent
2. In AS-REP to the first (or second) AS-REQ
Currently Java supports the 1st one, which means, if the server has turned preauth requirement for a client off, the client cannot decoded the correct salt, and generates a wrong key, which results in a "KrbException: Integrity check on decrypted field failed (31)".
We need to support the 2nd option as well. In fact, that is the recommended option in RFC 4120. In the following section, we can see the KRB-ERROR is used to provide enctype info, and AS-REP used for salt info.
5.2.7.5. PA-ETYPE-INFO2
The ETYPE-INFO2 pre-authentication type is sent by the KDC in a
KRB-ERROR indicating a requirement for additional pre-authentication.
It is usually used to notify a client of which key to use for the
encryption of an encrypted timestamp for the purposes of sending a
PA-ENC-TIMESTAMP pre-authentication value. It MAY also be sent in an
AS-REP to provide information to the client about which key salt to
use for the string-to-key to be used by the client to obtain the key
for decrypting the encrypted part the AS-REP.
Besides PA-ETYPE-INFO2, PA-ETYEPE-INFO and PA-PW-SALT can also be used in suggesting correct salt.
- duplicates
-
JDK-6960894 Better AS-REQ creation and processing
-
- Closed
-