Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8279632

New options for ktab to provide non-default salt

    XMLWordPrintable

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P4
    • Resolution: Approved
    • Fix Version/s: 19
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      low
    • Compatibility Risk Description:
      The `-f` option already used by the `ktab -d` command to force removing entries without a prompt. There might be a small chance that a user always adding `-f` to any `ktab` command and it will trigger unnecessary KDC connections when adding entries.
    • Interface Kind:
      add/remove/modify command line option
    • Scope:
      JDK

      Description

      Summary

      Add -s <salt> and -f options to the ktab command to use the specified salt value or to fetch it from a KDC when adding entries.

      Problem

      The ktab -a username password command adds encryption keys derived from the username and password with a default salt string. Sometimes (as described in the bug report on a Windows Server) the salt used on the KDC might not be the default salt (which is a simple concatenation of realm and username), and the keys generated by the ktab command will not match the keys in KDC.

      Solution

      Add two new options to the command. When ktab -a username password -s altsalt is called, altsalt is used instead of the default salt. When ktab -a username password -f is called, the tool will contact the KDC to get the actual salt used (which will be included in the pre-authentication field in the KRB-ERROR response to the initial authentication request).

      The names of the new options follow the MIT krb5 ktutil command as described on https://web.mit.edu/kerberos/krb5-latest/doc/admin/admin_commands/ktutil.html.

      Specification

       Usage: ktab <commands> <options>
      
       Available commands:
      
       -l [-e] [-t]
           list the keytab name and entries. -e with etype, -t with timestamp.
      --a <principal name> [<password>] [-n <kvno>] [-append]
      +-a <principal name> [<password>] [-n <kvno>] [-s <salt> | -f] [-append]
           add new key entries to the keytab for the given principal name with
           optional <password>. If a <kvno> is specified, new keys' Key Version
           Numbers equal to the value, otherwise, automatically incrementing
      -    the Key Version Numbers. If -append is specified, new keys are
      +    the Key Version Numbers. If <salt> is specified, it will be used
      +    instead of the default salt. If -f is specified, the KDC will be
      +    contacted to fetch the salt. If -append is specified, new keys are
           appended to the keytab, otherwise, old keys for the
           same principal are removed.
       -d <principal name> [-f] [-e <etype>] [<kvno> | all | old]
           delete key entries from the keytab for the specified principal. If
           <kvno> is specified, delete keys whose Key Version Numbers match
           kvno. If "all" is specified, delete all keys. If "old" is specified,
           delete all keys except those with the highest kvno. Default action
           is "all". If <etype> is specified, only keys of this encryption type
           are deleted. <etype> should be specified as the numberic value etype
           defined in RFC 3961, section 8. A prompt to confirm the deletion is
           displayed unless -f is specified.
      
       Common option(s):
      
       -k <keytab name>
           specify keytab name and path with prefix FILE:

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              weijun Weijun Wang
              Reporter:
              webbuggrp Webbug Group
              Reviewed By:
              Valerie Peng
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: