如何通过GSS-API获取kerberos服务票证? [英] How to obtain a kerberos service ticket via GSS-API?

问题描述

有人知道如何使用Java GSS-API从密钥分发中心(KDC)获得服务票吗?

Does anyone know how to get a service ticket from the Key Distribution Center (KDC) using the Java GSS-API?

我有一个胖客户端应用程序，该应用程序首先使用Krb5LoginModule通过JAAS进行身份验证，以从票证缓存中获取TGT(背景:Windows例如使用kerberos实现，并将票证授予票证存储在安全的存储区域中).从LoginManager中，我获得包含TGT的Subject对象.现在，我希望当我为我的服务创建一个特定的GSSCredential对象时，该服务票证也将被放入主题的专用凭据中(我在网络上的某个地方已经读过).因此，我尝试了以下方法:

I have a thick-client-application that first authenticates via JAAS using the Krb5LoginModule to fetch the TGT from the ticket cache (background: Windows e.g. uses a kerberos implementation and stores the ticket granting ticket in a secure memory area). From the LoginManager I get the Subject object which contains the TGT. Now I hoped when I create a specific GSSCredential object for my service, the service ticket will be put into the Subject's private credentials as well (I've read so somewhere in the web). So I have tried the following:

// Exception handling ommitted
LoginContext lc = new LoginContext("HelloEjbClient", new DialogCallbackHandler());
lc.login()
Subject.doAs(lc.getSubject(), new PrivilegedAction() {

    public Object run() {
        GSSManager manager = GSSManager.getInstance();
        GSSName clientName = manager.createName("clientUser", GSSName.NT_USER_NAME);
        GSSCredential clientCreds = manager.createCredential(clientName, 8 * 3600, createKerberosOid(), GSSCredential.INITIATE_ONLY);

        GSSName serverName = manager.createName("myService@localhost", GSSName.NT_HOSTBASED_SERVICE);
        manager.createCredential(serverName, GSSCredential.INDEFINITE_LIFETIME, createKerberosOid(), GSSCredential.INITIATE_ONLY);
        return null;
    }

    private Oid createKerberosOid() {
        return new Oid("1.2.840.113554.1.2.2");
    }

});

不幸的是，我得到了GSSException:没有提供有效的凭据(机制级别:找不到任何Kerberos tgt).

Unfortunately I get a GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt).

推荐答案

我对获取服务票证的理解是错误的.我不需要从服务中获取凭据-在客户端上这是不可能的，因为客户端实际上没有服务器的TGT，因此无权获取服务凭据. 这里只缺少创建一个新的GSSContext并将其初始化.如果我已正确理解，则此方法的返回值包含服务票证.这是一个工作代码示例.它必须以PrivilegedAction的形式代表已登录的主题运行:

My understanding of getting the service ticket was wrong. I do not need to get the credentials from the service - this is not possible on the client, because the client really doesn't have a TGT for the server and therefore doesn't have the rights to get the service credentials. What's just missing here is to create a new GSSContext and to initialize it. The return value from this method contains the service ticket, if I have understood that correctly. Here is a working code example. It must be run in a PrivilegedAction on behalf of a logged in subject:

    GSSManager manager = GSSManager.getInstance();
    GSSName clientName = manager.createName("clientUser", GSSName.NT_USER_NAME);
    GSSCredential clientCred = manager.createCredential(clientName,
                                                        8 * 3600,
                                                        createKerberosOid(),
                                                        GSSCredential.INITIATE_ONLY);

    GSSName serverName = manager.createName("http@server", GSSName.NT_HOSTBASED_SERVICE);

    GSSContext context = manager.createContext(serverName,
                                               createKerberosOid(),
                                               clientCred,
                                               GSSContext.DEFAULT_LIFETIME);
    context.requestMutualAuth(true);
    context.requestConf(false);
    context.requestInteg(true);

    byte[] outToken = context.initSecContext(new byte[0], 0, 0);
    System.out.println(new BASE64Encoder().encode(outToken));
    context.dispose();

outToken包含然后包含服务凭单.但是，这不是使用GSS-API的方式.它的目标是将这些细节隐藏到代码中，因此最好在两侧都使用GSS-API建立一个GSSContext.否则，由于存在潜在的安全漏洞，您真的应该知道您在做什么. 有关更多信息，请阅读 Sun SSO教程，其中包括kerberos 比我做的要仔细.

The outToken contains then contains the Service Ticket. However this is not the way the GSS-API was meant to be used. Its goal was to hide those details to the code, so it is better to establish a GSSContext using the GSS-API on both sides. Otherwise you really should know what you are doing because of potential security holes. For more information read the Sun SSO tutorial with kerberos more carefully than I did.

只是忘记了我使用的是Windows XP SP2.此版本的Windows中有一个新的功能"，不允许在Windows RAM中使用TGT.您必须编辑注册表以允许此操作.有关更多信息，请参见 JGSS故障排除页面主题，以防像我一样遇到"KrbException:KDC不支持加密类型(14)".

Just forgot that I am using Windows XP with SP2. There is a new "feature" in this version of Windows that disallows using the TGT in the Windows RAM. You have to edit the registry to allow this. For more information have a look at the JGSS Troubleshooting page topic in case you experience a "KrbException: KDC has no support for encryption type (14)" like I did.

这篇关于如何通过GSS-API获取kerberos服务票证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！