Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6893158

AP_REQ check should use key version number (updated by 6907425)

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: 7
    • Fix Version/s: 7
    • Component/s: security-libs
    • Labels:
      None

      Backports

        Description

        In Kerberos, a server side program saves long term secret keys into a keytab file and uses it to authenticate AP_REQ messages sent by a client. The AP_REQ is encrypted by the KDC using a key stored in KDC's database. The key is identified by an encryption type and a key version number so that the server can locate the correct key from the keytab. Currently, Java only uses encrytion type to search for the key. If there are multiple keys with the same etype for a given server, it's quite likely that a wrong key is returned. The result is that the AP_REQ message cannot be authenticated and checksum error is thrown.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  weijun Weijun Wang
                  Reporter:
                  weijun Weijun Wang
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Imported:
                    Indexed: