Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8262391

Use permitted_enctypes if default_tkt_enctypes or default_tgs_enctypes is not present

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P4 P4
    • 17
    • security-libs
    • None
    • behavioral
    • minimal
    • Hide
      Traditionally, default_tkt_enctypes, default_tgs_enctypes are used by client side, and permitted_enctypes is used by the server side. A behavior change would happen if a client has not set either of default_tkt_enctypes or default_tgs_enctypes but set a permitted_enctypes.
      Show
      Traditionally, default_tkt_enctypes, default_tgs_enctypes are used by client side, and permitted_enctypes is used by the server side. A behavior change would happen if a client has not set either of default_tkt_enctypes or default_tgs_enctypes but set a permitted_enctypes.
    • Other
    • JDK

      Summary

      Use permitted_enctypes if default_tkt_enctypes or default_tgs_enctypes is not present in a krb5.conf file.

      Problem

      Users have to set all of default_tkt_enctypes, default_tgs_enctypes, and permitted_enctypes if they want to precisely restrict what encryption types can be used.

      Solution

      Since in most times the value of the 3 settings are the same, we can set only one to achieve the same goal. When either of default_tkt_enctypes and default_tgs_enctypes is not present but there is a permitted_enctypes, the value for the setting not present will be the same as permitted_enctypes.

      This is also what MIT krb5 does since 1.18 (released on Feb 2020). See https://web.mit.edu/kerberos/krb5-1.18/doc/admin/conf_files/krb5_conf.html.

      Specification

      Add the following lines to the text block below the "The following are the defaults for the krb5.conf file parameters:" line in https://docs.oracle.com/en/java/javase/15/security/kerberos-5-gss-api-mechanism.html:

      default_tgs_enctypes = <value of permitted_enctypes>
default_tkt_enctypes = <value of permitted_enctypes>
permitted_enctypes = <all etypes in Table 7-1>

            weijun Weijun Wang
            weijun Weijun Wang
            Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: