Im attempting to do a GSSAPI SASL authentication (as a server) with a hostname that is exactly the domain name: slushpupie.com . It isnt working, even though the same application works when the hostname has more than one dot (like host.slushpupie.com) Ive managed to reduce the application down to a trivial case just using GSS* classes, which Ive included below.
With debugging turned on, I can see that the keytab is read, and the principal is retrieved from it, but no Keys seem to come out of it.
public class GetKeytab {
public static void main(String args[]) {
try {
System.setProperty("java.security.auth.login.config","gss.conf");
System.setProperty("sun.security.jgss.debug","true");
System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
Oid KRB5_OID = new Oid("1.2.840.113554.1.2.2");
GSSManager mgr = GSSManager.getInstance();
GSSName serviceName= mgr.createName(
args[0],
GSSName.NT_HOSTBASED_SERVICE,
KRB5_OID);
System.out.println("serviceName: "+serviceName.toString());
GSSCredential cred = mgr.createCredential(
serviceName,
GSSCredential.INDEFINITE_LIFETIME,
KRB5_OID,
GSSCredential.ACCEPT_ONLY);
GSSContext secCtx = mgr.createContext(cred);
System.out.println("Context lifetime: "+secCtx.getLifetime());
} catch (Exception e) {
e.printStackTrace();
return;
}
}
}
My keytab contains keys for three principals:
Keytab name: FILE:/etc/jabber.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 xmpp/slushpupie.com@SLUSHPUPIE.COM (Triple DES cbc mode with HMAC/sha1)
3 xmpp/slushpupie.com@SLUSHPUPIE.COM (DES cbc mode with CRC-32)
4 xmpp/oak.slushpupie.com@SLUSHPUPIE.COM (Triple DES cbc mode with HMAC/sha1)
4 xmpp/oak.slushpupie.com@SLUSHPUPIE.COM (DES cbc mode with CRC-32)
4 xmpp/maple.slushpupie.com@SLUSHPUPIE.COM (Triple DES cbc mode with HMAC/sha1)
4 xmpp/maple.slushpupie.com@SLUSHPUPIE.COM (DES cbc mode with CRC-32)
My gss.conf looks like this:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true keyTab="/etc/jabber.keytab" doNotPrompt=true useKeyTab=true realm="SLUSHPUPIE.COM" principal="xmpp/slushpupie.com" debug=true;
};
Except that I change the principal to reflect the current test.
When I run it with the hostname oak.slushpupie.com, it works:
$ java GetKeytab xmpp@oak.slushpupie.com
serviceName: xmpp@oak.slushpupie.com
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /etc/jabber.keytab refreshKrb5Config is false principal is xmpp/oak.slushpupie.com tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal's key obtained from the keytab
Acquire TGT using AS Exchange
principal is xmpp/oak.slushpupie.com@SLUSHPUPIE.COM
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: AA BB CC DD EE FF 00 00
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: AA BB CC DD EE FF 00 00 2F F2 A8 34 F8 A1 C2 D6 ..%z.>../..4....
0010: FE F4 FB 92 5E 89 C8 1F
Added server's keyKerberos Principal xmpp/oak.slushpupie.com@SLUSHPUPIE.COMKey Version 4key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: AA BB CC DD EE FF 00 00
[Krb5LoginModule] added Krb5Principal xmpp/oak.slushpupie.com@SLUSHPUPIE.COM to Subject
Added server's keyKerberos Principal xmpp/oak.slushpupie.com@SLUSHPUPIE.COMKey Version 4key EncryptionKey: keyType=16 keyBytes (hex dump)=
0000: AA BB CC DD EE FF 00 00 2F F2 A8 34 F8 A1 C2 D6 ..%z.>../..4....
0010: FE F4 FB 92 5E 89 C8 1F
[Krb5LoginModule] added Krb5Principal xmpp/oak.slushpupie.com@SLUSHPUPIE.COM to Subject
Commit Succeeded
Context lifetime: 2147483647
It also works for maple.slushpupie.com, but I wont include the output unless someone wants to see it.
Now, when I switch to just slushpupie.com, I get this:
$ java GetKeytab xmpp@slushpupie.com
serviceName: xmpp@slushpupie.com
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /etc/jabber.keytab refreshKrb5Config is false principal is xmpp/slushpupie.com tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal's key obtained from the keytab
Acquire TGT using AS Exchange
principal is xmpp/slushpupie.com@SLUSHPUPIE.COM
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: B6 44 3E B5 C4 02 9E 23
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 83 44 76 08 C8 70 61 46 9B 29 C4 E6 C1 D5 0E 32 .#v..paF.).....2
0010: 4C 44 2F 85 0E 0B 46 5E
Added server's keyKerberos Principal xmpp/slushpupie.com@SLUSHPUPIE.COMKey Version 3key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: B6 44 3E B5 C4 02 9E 23
[Krb5LoginModule] added Krb5Principal xmpp/slushpupie.com@SLUSHPUPIE.COM to Subject
Added server's keyKerberos Principal xmpp/slushpupie.com@SLUSHPUPIE.COMKey Version 3key EncryptionKey: keyType=16 keyBytes (hex dump)=
0000: 83 44 76 08 C8 70 61 46 9B 29 C4 E6 C1 D5 0E 32 .#v..paF.).....2
0010: 4C 44 2F 85 0E 0B 46 5E
[Krb5LoginModule] added Krb5Principal xmpp/slushpupie.com@SLUSHPUPIE.COM to Subject
Commit Succeeded
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:75)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:77)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:45)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at GetKeytab.main(GetKeytab.java:27)
As you can see, the keytab was accessed and it was even able to get a TGT from the KDC. But why couldnt it be used? Something about short hostnames?