no PTR is needed for TGS-Req in openjdk7? (original) (raw)

Roy Golan rgolan at redhat.com
Wed Jul 11 06:31:14 UTC 2012

On 07/10/2012 04:30 PM, Weijun Wang wrote:

Hi Roy

In JDK 6 we canonicalize the service host name before requesting for a service ticket. In JDK 7 we don't, for security reasons, see http://tools.ietf.org/html/rfc4120#section-1.3. But I don't see how it affects locating the KDC.

Another change is that we always use DNS to locate a KDC if there is none in krb5.conf, i.e. dnslookupkdc's default value is now regarded true.

Can you be more specific? tcp dumps are always welcomed. Attached 2 dumps for each jdk.

My krb5.conf has dns_lookup_kdc = true and my KDC is also specified in the domain section.

We have an active directory server which is also the DNS server. The SRV records are all fine and point to the right KDC and LDAP.

Resolving the KDC address is not a problem but we must have back resolving too (as for jdk6...). To do that I have put a record in my /etc/hosts 10.35.64.1 xxqa1.qa.lab###. I'm intentionally putting a wrong record off course, just to proof the behavior.

look at the dumps and you will see that jdk6 used the record in /etc/hosts in the KDC_REQ_BODY so the request is for server ldap/xxqa1.qa.lab### and jdk7 just uses the correct ldap/qa1.qa.lab####

-Max

On 07/10/2012 06:08 PM, Roy Golan wrote: I all,

In our project (www.ovirt.org) we do some kerberos authentication and we've seen different behavior between jdk6 and 7 in the process of doing the TGS-Req to the KDC. with jdk6, wh must have a PTR record for our KDC to run while using jdk7 we see its ignoring it. To check it we have put a wrong record in /etc/hosts for our KDC server, say "1.1.1.1 wrongkdc.example.com" while it should be kdc.example.com and we saw that jdk6 is failing with PRINCIPALUKNOWN . the PRINCIPAL in jdk6 is 1.1.1.1/wrongkdc.example.com and with jdk7 is 1.1.1.1/kdc.example.com which is why it works. is this a change is by design or maybe a bug? can someone explain if there is no intent of using reverse records (PTR) for the PRINCIPAL in TGS requests? I can supply tcp dumps if that will help to shed light here. Thanks, Roy

-------------- next part -------------- A non-text attachment was scrubbed... Name: jdk7.kerberos.cap Type: application/vnd.tcpdump.pcap Size: 7041 bytes Desc: not available URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20120711/50fd5c93/jdk7.kerberos.cap> -------------- next part -------------- A non-text attachment was scrubbed... Name: jdk6.kerberos.cap Type: application/vnd.tcpdump.pcap Size: 5807 bytes Desc: not available URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20120711/50fd5c93/jdk6.kerberos.cap>

More information about the security-dev mailing list