Java 8 更新 161 破坏了 HTTPClient Kerberos 身份验证
Java 8 update 161 breaks HTTPClient Kerberos authentication
我的 HTTPClient Kerberos 身份验证设置类似于 this one。我的 login.conf 看起来像这样:
com.sun.security.jgss.login {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
useKeyTab=true
storeKey=true
keyTab=<principal>
principal=<keytab>;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
此设置一直适用于我的 jdk8u151,但 Oracle 最近发布了 jdk8u161,但它不再有效。调试看起来像这样:
对比调试日志,jdk8u161停在这一行:
CCacheInputStream: readFlags()
而 jdk8u151 遵循该行
unsupported key type found the default TGT: 18
我加了
default_tkt_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
到krb5.conf,但没有帮助。
找到我自己的答案:
- 从 login.conf
中删除所有 useTicketCache=true
- 将
rc4-hmac 添加到 default_tkt_enctypes、default_tgs_enctypes 和 permitted_enctypes
login.conf 现在看起来像这样:
com.sun.security.jgss.login {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
和krb5.conf:
[libdefaults]
...
default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
...
我的 HTTPClient Kerberos 身份验证设置类似于 this one。我的 login.conf 看起来像这样:
com.sun.security.jgss.login {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
useKeyTab=true
storeKey=true
keyTab=<principal>
principal=<keytab>;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
此设置一直适用于我的 jdk8u151,但 Oracle 最近发布了 jdk8u161,但它不再有效。调试看起来像这样:
对比调试日志,jdk8u161停在这一行:
CCacheInputStream: readFlags()
而 jdk8u151 遵循该行
unsupported key type found the default TGT: 18
我加了
default_tkt_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
到krb5.conf,但没有帮助。
找到我自己的答案:
- 从 login.conf 中删除所有
- 将
rc4-hmac添加到default_tkt_enctypes、default_tgs_enctypes和permitted_enctypes
useTicketCache=true
login.conf 现在看起来像这样:
com.sun.security.jgss.login {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
和krb5.conf:
[libdefaults]
...
default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
...