JDK-8029995 : accept yes/no for boolean krb5.conf settings
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: org.ietf.jgss:krb5
  • Affected Version: 8
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: linux
  • Submitted: 2013-12-11
  • Updated: 2019-08-16
  • Resolved: 2014-04-04
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 9
9 b08Fixed
Sub Tasks
JDK-8173011 :  
Description
FULL PRODUCT VERSION :
java version "1.8.0-ea"
Java(TM) SE Runtime Environment (build 1.8.0-ea-b119)
Java HotSpot(TM) 64-Bit Server VM (build 25.0-b61, mixed mode)


ADDITIONAL OS VERSION INFORMATION :
Linux XXX.deshaw.com 2.6.32-358.18.1.el6.4.deshaw.x86_64 #1 SMP Fri Oct 11 16:57:25 BST 2013 x86_64 x86_64 x86_64 GNU/Linux


EXTRA RELEVANT SYSTEM CONFIGURATION :
You need to be on a system where weak crypto is being used in the Kerberos TGT, or else the setting of the allow_weak_crypto flag has no effect.

A DESCRIPTION OF THE PROBLEM :
The changes in http://hg.openjdk.java.net/jdk8/jdk8/jdk/rev/7d89b0dd973c do not correctly parse the "allow_weak_crypto" option in the /etc/krb5.conf file, as they require the use of the string "true".  In practice, users may also use other strings, like "yes", to signify that they want to allow weak crypto.  Because of this bug, the code will assume that allow_weak_crypto is false when it should believe it to be true.

REGRESSION.  Last worked in version 7u40

ADDITIONAL REGRESSION INFORMATION:
java version "1.7.0_40"
Java(TM) SE Runtime Environment (build 1.7.0_40-b43)
Java HotSpot(TM) 64-Bit Server VM (build 24.0-b56, mixed mode)


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Take an auth config file that looks like this, which we'll call jaas.config:

-----------------
KrbLogin {
    com.sun.security.auth.module.Krb5LoginModule sufficient
        useTicketCache="true";
};

com.sun.security.jgss.krb5.initiate
{
        com.sun.security.auth.module.Krb5LoginModule required
        doNotPrompt=true
        useTicketCache=true
        debug=false;
};
-----------------

Then use an /etc/krb5.conf file that contains the string "allow_weak_crypto = yes" instead of "allow_weak_crypto = true" in the [libdefaults] section.  Run the KerberosBug class provided elsewhere in this request with those two files, using a command like the following:

java -Djava.security.auth.login.config=jaas.config -Djava.security.krb5.conf=krb5.conf KerberosBug


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
I expect the program to run without printing anything.  If you run with jdk7, this is what you'll see.
ACTUAL -
In jdk8, you see the following:

     [java] Exception in thread "main" javax.security.auth.login.LoginException: Cannot locate KDC
     [java] at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
     [java] at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
     [java] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     [java] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
     [java] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
     [java] at java.lang.reflect.Method.invoke(Method.java:483)
     [java] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:777)
     [java] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
     [java] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
     [java] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
     [java] at java.security.AccessController.doPrivileged(Native Method)
     [java] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:688)
     [java] at javax.security.auth.login.LoginContext.login(LoginContext.java:586)
     [java] at KerberosBug.main(KerberosBug.java:26)
     [java] Caused by: KrbException: Cannot locate KDC
     [java] at sun.security.krb5.Config.getKDCList(Config.java:1062)
     [java] at sun.security.krb5.KdcComm.send(KdcComm.java:217)
     [java] at sun.security.krb5.KdcComm.send(KdcComm.java:199)
     [java] at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
     [java] at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
     [java] at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:766)
     [java] ... 13 more
     [java] Java Result: 1

As a result of this bug, the Kerberos operation has failed.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
You see the following exception:

     [java] Exception in thread "main" javax.security.auth.login.LoginException: Cannot locate KDC
     [java] at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
     [java] at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
     [java] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     [java] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
     [java] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
     [java] at java.lang.reflect.Method.invoke(Method.java:483)
     [java] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:777)
     [java] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
     [java] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
     [java] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
     [java] at java.security.AccessController.doPrivileged(Native Method)
     [java] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:688)
     [java] at javax.security.auth.login.LoginContext.login(LoginContext.java:586)
     [java] at KerberosBug.main(KerberosBug.java:26)
     [java] Caused by: KrbException: Cannot locate KDC
     [java] at sun.security.krb5.Config.getKDCList(Config.java:1062)
     [java] at sun.security.krb5.KdcComm.send(KdcComm.java:217)
     [java] at sun.security.krb5.KdcComm.send(KdcComm.java:199)
     [java] at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
     [java] at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
     [java] at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:766)
     [java] ... 13 more
     [java] Java Result: 1


REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;

public class KerberosBug
{
    private static class CBHandler implements CallbackHandler
    {
        @Override
        public void handle(Callback[] callbacks)
        {
            // No need to do anything
        }
    }

    /**
     * Test method which will throw an exception
     * if there's a problem.
     */
    public static void main(String[] args) throws Exception
    {
        LoginContext loginContext = new LoginContext(
            "KrbLogin",
            new CBHandler()
        );
        loginContext.login();
    }
}

---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
The workaround is to modify the /etc/krb5.conf file so that it says "allow_weak_crypto = true" instead of "allow_weak_crypto = yes".  However, this is only possible if you have no other software that insists on use of the "yes" string.
Comments
This is not really a regression. Label re0moved\ "allow_weak_crypto=yes" is not recognized in jdk7 and jdk8 so it's ignored in both. However, in jdk7, the default value for that option is "true", so the user feels the value is working. In jdk8, default value is 8, and user feels it's not working. We've enhanced in jdk9 to recognize more values. As an RFE, this is not backported to 8.
12-03-2015

release note text: Boolean settings in krb5.conf can now take the value of "yes" and "no".
25-01-2014

8-defer-request justification: The krb5.conf doc [1] only specifies true/false for the key and in Java we only support them. It seems MIT's krb5 implementation also accepts yes/no. I consider this an RFE instead of a bug. We can support it in a future release (8u20 and 9). Meanwhile, users can set the value to true/false in their krb5.conf as a workaround. I have asked the bug reporter on which software "insists on use of the yes string" (no reply yet) but I am not aware of any. [1] http://web.mit.edu/~kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html
12-12-2013