JDK-8044500 : Add kinit options and krb5.conf flags that allow users to obtain renewable tickets and specify ticket lifetimes
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.security
  • Affected Version: 7
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2014-06-02
  • Updated: 2020-02-26
  • Resolved: 2014-12-09
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 9 Other
9 b43Fixed openjdk7uFixed
Related Reports
Relates :  
Relates :  
Relates :  
Relates :  
Sub Tasks
JDK-8055763 :  
kerberos kinit implementations, support a "-r" option which allows users to 
obtain a renewable ticket. 

      /usr/bin/kinit [-ARvV] [-p | -P] [-f | -F] [-a] [-c cache_name] 
           [-C] [-E] [-k [-t keytab_file]] [-l lifetime] 
           [-r renewable_life] [-s start_time] [-n] [-S service_name] 
           [-X attribute[=value]] [-T armor_ccache] [principal] 
But Java's kinit implementation does not allow for a renewable options 
 C:\Program Files\Java\jdk1.7.0_55\bin>kinit.exe -help 
 Usage: kinit [-A] [-f] [-p] [-c cachename] [[-k [-t keytab_file_name]] 
 [principal] [password] 
        available options to Kerberos 5 ticket request: 
             -A   do not include addresses 
             -f   forwardable 
             -p   proxiable 
             -c   cache name (i.e., FILE:\d:\myProfiles\mykrb5cache) 
             -k   use keytab 
             -t   keytab file name 
             principal   the principal name (i.e., qweadf@ATHENA.MIT.EDU qweadf) 
            password   the principal's Kerberos password 
 C:\Program Files\Java\jdk1.7.0_55\bin> 

Also,Can we add an extra function along with "renewable" that allows users to 
set the expiry time please? That is the "-l" option, which can be used to set 
the lifetime of the kerberos ticket. Here is the extract from the krb5 spec: 

-l lifetime 
(Time duration string.) Requests a ticket with the lifetime "lifetime". 
For example, kinit -l 5:30 or kinit -l 5h30m 
If the -l option is not specified, the default ticket lifetime (configured by each site) is used. 
Specifying a ticket lifetime longer than the maximum ticket lifetime 
(configured by each site) will not override the configured maximum ticket lifetime. 

Also, I noticed that Java Kinit doesn't honour the krb5.conf setting 
"ticket_lifetime" or "renew_lifetime". Not sure if it's something you want to 
support in Java, thought I would mention this as well. 
Integrated as part of the batch 2020-01 CPU. Removing jdk8u-fix-request.

Can you please stick to a 1:1 mapping between bugs and webrevs please? https://cr.openjdk.java.net/~alvdavi/webrevs/8044500/webrev.8u.00/ appears to contain both 8044500 & 8186576.

8u review approval: https://mail.openjdk.java.net/pipermail/jdk8u-dev/2020-January/010921.html

Fix request (8u) on behalf of verghese@amazon.com Backport dependency of: https://bugs.openjdk.java.net/browse/JDK-8186576 RFR: https://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-November/010582.html