-
CSR
-
Resolution: Approved
-
P3
-
None
-
behavioral
-
minimal
-
The new default behavior enhances compatibility with old and non-RFC 6806 compliant KDC services. The new Kerberos configuration option is aligned to the one available in the MIT's Kerberos client, and allows more user flexibility.
-
System or security property
-
JDK
Summary
Extend the Kerberos configuration file (krb5.conf, specified by the java.security.krb5.conf system property) to include a 'canonicalize' option under the 'libdefaults' section. Change the Kerberos client default behavior to send the 'canonicalize' bit off in all Authentication Service (AS) requests.
Problem
After the implementation of RFC 6806 (JDK-8215032), the Kerberos client sends the 'canonicalize' bit on by default in all KDC requests (including those used to get TGTs as well as those to get TGSs tickets). As described in the referred RFC, this option bit announces support for Referrals and Name Canonicalization from the client side.
One of the consequences of the previous is that the KDC may issue a TGT ticket -in response to an AS request- with a different Client Name (cname) than the one requested.
Even though the Kerberos client and the JAAS framework are ready to handle such change, some applications -which get the ticket through undocumented APIs- consider it too disruptive.
In addition, old KDCs such as Windows AD 2008, change the cname when 'canonicalize' is on but do not include the security scheme proposed by RFC 6806 in Section 11 to mitigate associated security risks. These responses are then rejected by the client.
Solution
Change the Kerberos client default behavior to send 'canonicalize' bit off in all AS requests. Introduce a Kerberos configuration to turn 'canonicalize' on for AS requests. These changes will bring better alignment with the MIT's Kerberos client.
Note: the 'sun.security.krb5.disableReferrals' system and security properties can be used to turn Name Canonicalization off. However, that also implies that TGS referrals -when requesting TGS tickets- will be disabled too. The proposed solution allows to disabled Name Canonicalization only, while continue supporting RFC 6806 TGS referrals.
Specification
1) The Kerberos client sends 'canonicalize' bit off in all AS requests by default. The previous behavior is not modified for TGS requests, which continue including the 'canonicalize' bit on by default and a fallback scheme in case the server returns an unexpected error.
2) A new 'canonicalize' option in the Kerberos configuration file (krb5.conf, specified by the java.security.krb5.conf system property) is introduced under the 'libdefaults' section. The default value is false. If the 'canonicalize' option is set true, all AS requests will contain the 'canonicalize' bit on (unless referrals were disabled through sun.security.krb5.disableReferrals).
Grammar for 'canonicalize' option in the Kerberos configuration file:
canonicalize = true|falseExample of a krb5.conf file with 'canonicalize' on:
[libdefaults]
...
canonicalize = true
...Specs that need to be updated:
- 7 Java Generic Security Services (Java GSS-API)
- The Kerberos 5 GSS-API Mechanism
- Supported krb5.conf Settings
- Add 'canonicalize' in '[libdefaults]' section, above 'renewable' (so we group request options together)
- Add 'canonicalize = false' in defaults for the krb5.conf file parameters, above 'renewable = false' (for the previous reason).
- Supported krb5.conf Settings
- The Kerberos 5 GSS-API Mechanism
Review discussion thread and further information here.
- csr of
-
JDK-8239385 Support the 'canonicalize' setting (krb5.conf) in the Kerberos client
-
- Closed
-