Re: Accepting secure context on Server without KDC-Login

The default credential acquisition model for Java GSS-API requires
credentials to be present in the current Subject. Typically, the
credentials are placed there after a JAAS login by the application.

Client and server applications typically perform JAAS authentication
using the Kerberos login module. Upon successful authentication the TGT
is stored in the Subject's private credentials set and the Kerberos
principal is stored in the Subject's principal set. At the server-end
the secret key is stored in the Subject's private credentials set.

If there are no valid credentials in the current Subject, Java GSS
provider attempts to obtain new credentials by invoking a JAAS login
itself. This is when the default JAAS entries
"com.sun.security.jgss.initiate" and "com.sun.security.jgss.accept" are
read from the JAAS configuration file, using the desired configurations
that you provide, such as the keytab at the server-end.

You can configure JAAS Krb5LoginModule to be an "acceptor" only at the
server-end. This option is available starting from Java SE 6, and will
be backported to earlier releases.

For details on this option, check the javadoc on Krb5LoginModule:
http://download.java.net/jdk6/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html

Seema

Olfmatic wrote On 09/07/06 05:41,:

Hello,

Please help me, I still don't get it:
I want to accept a secure context on my server. As far as I learned, the server does not have to contact the KDC to do so, because the shared secret is stored in a keytab file created on the KDC and then stored at the server. But I made a different experience.

This is my code:

Oid tKrb5Oid = new Oid("1.2.840.113554.1.2.2");
GSSManager tGSSManager = GSSManager.getInstance();
String tPrincName = "servicename/hostname@REALM";
GSSName tServerName = tGSSManager.createName(tPrincName, GSSName.NT_USER_NAME);
GSSCredential tServerCredential = tGSSManager.createCredential(tServerName,
GSSCredential.INDEFINITE_LIFETIME, new Krb5MechFactory().getMechanismOid(),
GSSCredential.ACCEPT_ONLY);
GSSContext tSecureContext = tGSSManager.createContext(tServerName, tKrb5Oid, tServerCredential, GSSContext.DEFAULT_LIFETIME);
byte [] tInToken = aToken;
byte [] tOutToken = tSecureContext.acceptSecContext(tInToken, 0, tInToken.length);

If I execute this code in a PrivilegedAction after loggin in to the KDC with the Krb5LoginModule, everything is fine. Now what I want is the server to accept the secure context WITHOUT trying to contact the KDC. Do I have to login with the Krb5LoginModule even though? Or can the above code also be executed without prior KDC-Login?
But then how do I tell the server application where to find the keytab file? As far as I know, the keytab file is configured in the configuration of LoginModules:

JaasLogin {
//Kerberos single-sign-on login module
com.sun.security.auth.module.Krb5LoginModule required debug=true useKeyTab=true keyTab=C:/krb5.keytab ;
};


But if i never call

LoginContext tLoginContext = new LoginContext("JaasLogin");
tLoginContext.login();
final Subject tSubject = tLoginContext.getSubject();

then how can the application know that it shall use a keytab and where to find it?

IF I login with the Krb5LoginModule, the server looks for the KDC which is not what I want.
IF I do not login with the Krb5LoginModule, I get the error message "Attempt to obtain new ACCEPT credentials failed", which seems clear to me because the server application doesn't know anything about the keytab file.
What do I have to do? Login or no Login?

Thanks for any help.

Florian

________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos


________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos

.

Relevant Pages

  • Re: AW: Accepting secure context on Server without KDC-Login
    ... Currently, the JAAS ... Krb5LoginModule does not make the distinction of client/server, ... Specifying the keytab-file in the LoginModule will make it look there for credentials. ...
    (comp.protocols.kerberos)
  • "cannot write to db file"
    ... Users login via an asp.net login control ... actual development server when you try to login, ... credentials* you get the error "cannot write to db file". ... why the good credentials get rejected if there;s no successful write. ...
    (microsoft.public.dotnet.framework.aspnet)
  • AW: Accepting secure context on Server without KDC-Login
    ... So if I understand you right, there is no possibility to tell the Krb5LoginModule NOT to try to login to the KDC, but to fetch the credentials from the keytab-File, if you are using JDK1.4? ... Betreff: Re: Accepting secure context on Server without KDC-Login ...
    (comp.protocols.kerberos)
  • Problem with Passwords
    ... "This server could not verify that you are authorized to access the document requested. ... Either you supplied the wrong credentials, or your browser doesn't understand how to supply the credentials required. ... I can, however, access the section with the login and password from work, so I know the login and password are still active, and I can get into Hotmail still without any problem. ... Can anyone maybe suggest if the erased files is the problem? ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Cant use WM6 to access network shares
    ... Do the servers Event Viewer logs give any clues as to why the login attempt ... So this seems to be some kind of issue w/ server shares and WM6? ... Can get to about any other share on the network. ... credentials screen I would see if I tried to connect to the share using ...
    (microsoft.public.pocketpc.wireless)