Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8262391

Use permitted_enctypes if default_tkt_enctypes or default_tgs_enctypes is not present

    XMLWordPrintable

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P4
    • Resolution: Approved
    • Fix Version/s: 17
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      Hide
      Traditionally, default_tkt_enctypes, default_tgs_enctypes are used by client side, and permitted_enctypes is used by the server side. A behavior change would happen if a client has not set either of default_tkt_enctypes or default_tgs_enctypes but set a permitted_enctypes.
      Show
      Traditionally, default_tkt_enctypes, default_tgs_enctypes are used by client side, and permitted_enctypes is used by the server side. A behavior change would happen if a client has not set either of default_tkt_enctypes or default_tgs_enctypes but set a permitted_enctypes.
    • Interface Kind:
      Other
    • Scope:
      JDK

      Description

      Summary

      Use permitted_enctypes if default_tkt_enctypes or default_tgs_enctypes is not present in a krb5.conf file.

      Problem

      Users have to set all of default_tkt_enctypes, default_tgs_enctypes, and permitted_enctypes if they want to precisely restrict what encryption types can be used.

      Solution

      Since in most times the value of the 3 settings are the same, we can set only one to achieve the same goal. When either of default_tkt_enctypes and default_tgs_enctypes is not present but there is a permitted_enctypes, the value for the setting not present will be the same as permitted_enctypes.

      This is also what MIT krb5 does since 1.18 (released on Feb 2020). See https://web.mit.edu/kerberos/krb5-1.18/doc/admin/conf_files/krb5_conf.html.

      Specification

      Add the following lines to the text block below the "The following are the defaults for the krb5.conf file parameters:" line in https://docs.oracle.com/en/java/javase/15/security/kerberos-5-gss-api-mechanism.html:

      default_tgs_enctypes = <value of permitted_enctypes>
      default_tkt_enctypes = <value of permitted_enctypes>
      permitted_enctypes = <all etypes in Table 7-1>

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              weijun Weijun Wang
              Reporter:
              weijun Weijun Wang
              Reviewed By:
              Sean Mullan
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: