Bug ID: JDK-8216173 krb5.conf parsing incomplete / incorrect

Type: Bug
Component: security-libs
Sub-Component: org.ietf.jgss:krb5
Affected Version: 8,11,12

Priority: P4
Status: Closed
Resolution: Not an Issue
OS: linux
CPU: x86_64

Submitted: 2018-12-29
Updated: 2022-12-15
Resolved: 2019-01-19

A DESCRIPTION OF THE PROBLEM :
The parsing mechanism in sun/security/krb5/Config.java incorrect assumes only 3 types of lines are possible

1. a = b
2. a = {
3. }

auth_to_local rules in MIT Kerberos (which java follows) are of the format

a = {
  value
}

hence auth_to_local rules are impossible to read as a KrbException("Illegal config content") is thrown when encountering "value"

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Create a krb5.conf with auth_to_local rules like this (straight from MIT Kerberos man page)

         [realms]
              ATHENA.MIT.EDU = {
                  auth_to_local = {
                      RULE:[2:$1](johndoe)s/^.*$/guest/
                      RULE:[2:$1;$2](^.*;admin$)s/;admin$//
                      RULE:[2:$2](^.*;root)s/^.*$/root/
                      DEFAULT
                      }
                  }

try to use "get("realms", "ATHENA.MIT.EDU", "auth_to_local")

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
String of "auth_to_local" value.

ACTUAL -
KrbException("Illegal config content")

Bug reporter confirmed false report.

19-01-2019

[~psonal] What is the version of MIT krb5 the customer is using? I tried pasting the relation into a local krb5.conf, krb5kdc fails with "krb5kdc: Improper format of Kerberos configuration file while initializing krb5". I'm using the latest version.

07-01-2019

https://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html shows [realms] ATHENA.MIT.EDU = { auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/ auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$// auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/ auth_to_local = DEFAULT } Does this "a = b" format work for the customer?

07-01-2019