Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8241871

Support the 'canonicalize' setting (krb5.conf) in the Kerberos client

    XMLWordPrintable

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P3
    • Resolution: Approved
    • Fix Version/s: 15
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      The new default behavior enhances compatibility with old and non-RFC 6806 compliant KDC services. The new Kerberos configuration option is aligned to the one available in the MIT's Kerberos client, and allows more user flexibility.
    • Interface Kind:
      System or security property
    • Scope:
      JDK

      Description

      Summary

      Extend the Kerberos configuration file (krb5.conf, specified by the java.security.krb5.conf system property) to include a 'canonicalize' option under the 'libdefaults' section. Change the Kerberos client default behavior to send the 'canonicalize' bit off in all Authentication Service (AS) requests.

      Problem

      After the implementation of RFC 6806 (JDK-8215032), the Kerberos client sends the 'canonicalize' bit on by default in all KDC requests (including those used to get TGTs as well as those to get TGSs tickets). As described in the referred RFC, this option bit announces support for Referrals and Name Canonicalization from the client side.

      One of the consequences of the previous is that the KDC may issue a TGT ticket -in response to an AS request- with a different Client Name (cname) than the one requested.

      Even though the Kerberos client and the JAAS framework are ready to handle such change, some applications -which get the ticket through undocumented APIs- consider it too disruptive.

      In addition, old KDCs such as Windows AD 2008, change the cname when 'canonicalize' is on but do not include the security scheme proposed by RFC 6806 in Section 11 to mitigate associated security risks. These responses are then rejected by the client.

      Solution

      Change the Kerberos client default behavior to send 'canonicalize' bit off in all AS requests. Introduce a Kerberos configuration to turn 'canonicalize' on for AS requests. These changes will bring better alignment with the MIT's Kerberos client.

      Note: the 'sun.security.krb5.disableReferrals' system and security properties can be used to turn Name Canonicalization off. However, that also implies that TGS referrals -when requesting TGS tickets- will be disabled too. The proposed solution allows to disabled Name Canonicalization only, while continue supporting RFC 6806 TGS referrals.

      Specification

      1) The Kerberos client sends 'canonicalize' bit off in all AS requests by default. The previous behavior is not modified for TGS requests, which continue including the 'canonicalize' bit on by default and a fallback scheme in case the server returns an unexpected error.

      2) A new 'canonicalize' option in the Kerberos configuration file (krb5.conf, specified by the java.security.krb5.conf system property) is introduced under the 'libdefaults' section. The default value is false. If the 'canonicalize' option is set true, all AS requests will contain the 'canonicalize' bit on (unless referrals were disabled through sun.security.krb5.disableReferrals).

      Grammar for 'canonicalize' option in the Kerberos configuration file:

      canonicalize = true|false

      Example of a krb5.conf file with 'canonicalize' on:

      [libdefaults]
      ...
      canonicalize = true
      ...

      Specs that need to be updated:

      • 7 Java Generic Security Services (Java GSS-API)
        • The Kerberos 5 GSS-API Mechanism
          • Supported krb5.conf Settings
            • Add 'canonicalize' in '[libdefaults]' section, above 'renewable' (so we group request options together)
            • Add 'canonicalize = false' in defaults for the krb5.conf file parameters, above 'renewable = false' (for the previous reason).

      Review discussion thread and further information here.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mbalao Martin Balao
              Reporter:
              webbuggrp Webbug Group
              Reviewed By:
              Weijun Wang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: