如何保存Kerberos专用凭据以在其他计算机上使用 [英] How to save Kerberos private credentials for use in other machines

问题描述

我正在使用JAAS获取Kerberos凭据.我的配置文件如下所示:

I am using JAAS to get Kerberos credentials. My config file look like this:

SignedOnUserLoginContext
{
  com.sun.security.auth.module.Krb5LoginModule required debug=true useTicketCache=true doNotPrompt=true;
};

获取Kerberos凭据的代码

The code to get Kerberos credentials

try {           
        LoginContext lc = new LoginContext("SignedOnUserLoginContext");
        lc.login();
        Subject signedOnUserSubject = lc.getSubject();
        Set<Object> privateCred = signedOnUserSubject.getPrivateCredentials();

            for (Object privates : privateCred) {
                if (privates instanceof KerberosTicket) {
                    KerberosTicket ticket = (KerberosTicket)privates;
                    return ticket.getEncoded();
                }
            }

    }

当我将票证转移到其他计算机上并使用JAAS使用Kerberos登录时，它不会得到认证.我的配置文件在接收时:

When i transfer the ticket to other machines and using JAAS to login using Kerberos, it doesn't get authenticated. my config file at receiving:

 KrbLogin{
 com.sun.security.auth.module.Krb5LoginModule required
            principal=principal@realm
            useTicketCache="FILE:///where i store the ticket"
 };

我怀疑我不能只获得那样的票，而是需要获得getPrivateCredentials()返回的整个私有凭证.另外，我尝试使用doNotPrompt = true和useTicketCache = true来从Windows缓存中获取.

I am suspecting I cannot just get the ticket like that, but need to get the whole private credentials returned by getPrivateCredentials(). Also, using doNotPrompt=true and useTicketCache=true I am trying to get from Windows cache.

我在一些Java安全性书中读到，私有凭证可以包括其他数据，例如私有密钥，加密密钥，密码等...

I read in some Java security book that private credentials can include other data such as private keys, encryption keys, password etc...

因此，我将需要获取getPrivateCredentials()的返回值.如何将getPrivateCredentials()返回的内容获取到实际的Kerberos凭据文件中.为了阅读这些数据，我需要使用 PrivateCredentialPermission 模块.有示例显示如何执行此操作吗?

Hence, i would need to get the return value of getPrivateCredentials(). How can get what is returned by getPrivateCredentials() into an actual Kerberos credential file. I read in order to access these data, I would need to use PrivateCredentialPermission module. Is there example to show how to do this?

推荐答案

Kerberos的凭据不可移植，从技术上讲，您不能在计算机 A 上进行 kinit ，然后使用机器 B 上的TGT(票证授予票证)或ST(服务票证)(委托除外)，因为TGT和ST都包含客户端的加密IP地址.

Credentials of Kerberos is not portable, technically, you cannot do kinit on machine A and then use that TGT (ticket granting ticket) or ST (service ticket) on machine B (except for delegation), because both TGT and ST contains encrypted IP address of client.

ST用服务服务器的密钥加密，这意味着只有SS可以验证/读取票证的内容.

ST is encrypted by service server's key, which means only SS can verify/read content of the ticket.

TGT由TGS(票证授予服务器)的密钥加密.

TGT is encrypted by key of a TGS (ticket granting server).

顺便说一句，也许您想要的就是称为 Kerberos keytab 的---其中包含主体的user name& password.

By the way, maybe what you want is what called Kerberos keytab --- which contains principal's user name & password.

但是，通过网络传输密钥表是危险且不推荐的.

But, transferring keytab through network is dangerous and deprecated.

这篇关于如何保存Kerberos专用凭据以在其他计算机上使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！