Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8210822

Support dns_canonicalize_hostname in krb5.conf

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P3 P3
    • 12
    • security-libs
    • None
    • behavioral
    • minimal
    • Hide
      Without the setting, there is no behavior change. There is a possibility that user has added this setting in their krb5.conf to be used by other krb5 vendors and now Java is recognizing it. In this case we believe Java will behave as user had expected. In fact, since in MIT krb5 the default value is true, most likely a user will only set it to false. This is both secure and performant, and also recommended by the RFC as well.
      Show
      Without the setting, there is no behavior change. There is a possibility that user has added this setting in their krb5.conf to be used by other krb5 vendors and now Java is recognizing it. In this case we believe Java will behave as user had expected. In fact, since in MIT krb5 the default value is true, most likely a user will only set it to false. This is both secure and performant, and also recommended by the RFC as well.
    • File or wire format
    • Implementation

      Summary

      Support the krb5.conf dns_canonicalize_hostname as defined in https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html.

      Problem

      When constructing a sevice principal name (in for form of service_type/host_name@REALM), we always try to get the canonicalized name of the host name. This is not recommended by RFC 4120 and could have a serious impact on performance.

      Solution

      Support the dns_canonicalize_hostname setting.

      Specification

      Currently, Java performs a "smart" canonicalization, i.e. it always calls host.getCanonicalHostName() but only accepts the result if the canonicalized name is a longer version of the original name (For example, "service.example.com" is a longer version of "service").

      We propose that if dns_canonicalize_hostname is set to "true", we continue using this "smart" canonicalization; if "false", no canonicalization is ever tried and the original name is always used. The default value is "true".

      This will be documented in https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-api-mechanism.html. This is linked from the JDK 9 security guide at https://docs.oracle.com/javase/9/security/java-generic-security-services-java-gss-api1.htm.

            weijun Weijun Wang
            weijun Weijun Wang
            Valerie Peng
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: