JDK-6941083 : take salt out of PrincipalName
  • Type: Bug
  • Component: security-libs
  • Sub-Component: org.ietf.jgss:krb5
  • Affected Version: 7
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: generic
  • CPU: generic
  • Submitted: 2010-04-06
  • Updated: 2010-11-04
  • Resolved: 2010-06-17
Related Reports
Duplicate :  
JDK-6960894 - Better AS-REQ creation and processing
Relates :  
JDK-7089889 - Krb5LoginModule.login() throws an exception if used without a keytab
Description
In kerberos, an account uses a salt to create a secret from a password. Normally this salt is simply the flat form of the PrincipalName string, but can also be any other value. The value can be obtained from the server's error response after the initial AS-REQ.

Currently, after we receive this new salt, it's put inside a PrincipalName object as the new default value. However, there are some problems here:

1. A KDC error response can contain multiple new salt values for each encryption time. Although for each KDC product out there they are the same, but theoretically they can be different. Therefore there's no single value that can be saved back into PrincipalName

2. The only usage for this new salt is for the second AS-REQ message. After the TGT is received, password is forgotten and salt becomes useless. There's no need to permanently save it into the PrincipalName

3. If preauth is required, there are always two AS-REQ messages needed, the caching of salt does not make the process any simpler.
Comments
EVALUATION KrbAsReqBuilder will take care of salt.
17-06-2010