Kerberos Authentication ignores expired credentials?
843811Aug 27 2003 — edited Jan 21 2004JDK: J2SE 1.4.2
OS: Win 2000
I have an app that uses JAAS Kerberos for Authentication and it seems that the reference implementation from sun for Krb5LoginModule is not respecting when the credentials cache has expired.
Without the useTicketCache="true" option in my login context config file, my app always pops up SWING dialogs to capture the user id and password to authenticate to the Kerberos KDC. This works fine. When using the "useTicketCache" option I can then use the kinit program to create the TGT cache which stores my credentials for future use. This works fine also. And when I run my app, the sun Kerberos reference implementation correctly finds the credentials cache and uses that and doesn't prompt me for a userid and password--single sign on heaven!
However, once the credentials have expired, the sun ref impl is still allowing authentication to continue and my app to run when it SHOULD be telling me that my TGT has expired and I need to do another "kinit".
Can anyone help me here? This issue defeats one of the key strengths of Kerberos--that of timed sessions. I'm hoping it is all just a configuration error on my part...
Below are config file, credentials cache file name, krb5.ini, and a listing of principals from my Kerberos KDC:
My config file looks like this:
com.apisconsulting.ucped.UCPEDApplication {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache="true";
};
in my client code, I have a corresponding call like this:
lc = new LoginContext("com.apisconsulting.ucped.UCPEDApplication", new DialogCallbackHandler());
My credentials cache is stored in the default location in:
${user.home}/krb5cc_${user.name}
which on my Win2k client is:
C:\Documents and Settings\Administrator\krb5cc_Administrator
and my krb5.ini file is also stored in the default location for windows (c:\winnt) and is the following:
------------------------ start of file krb5.ini ---------------
[libdefaults]
default_realm = NEUHAUS.WILTON-ASSOCIATES.COM
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
forwardable = true
proxiable = true
[realms]
NEUHAUS.WILTON-ASSOCIATES.COM= {
kdc = kerberos.wilton-associates.com:88
admin_server = kerberos.wilton-associates.com
default_domain = wilton-associates.com
}
[domain_realm]
.wilton-associates.com = NEUHAUS.WILTON-ASSOCIATES.COM
wilton-associates.com = NEUHAUS.WILTON-ASSOCIATES.COM
[login]
krb4_convert = true
krb4_get_tickets = true
================== end of file krb5.ini =============================
and when I do a "listprincs" on the Kerberos kdc, it lists the following test principals:
kadmin.local: listprincs
K/M@NEUHAUS.WILTON-ASSOCIATES.COM
admin/admin@NEUHAUS.WILTON-ASSOCIATES.COM
bwjenkins@NEUHAUS.WILTON-ASSOCIATES.COM
kadmin/admin@NEUHAUS.WILTON-ASSOCIATES.COM
kadmin/changepw@NEUHAUS.WILTON-ASSOCIATES.COM
kadmin/history@NEUHAUS.WILTON-ASSOCIATES.COM
krbtgt/NEUHAUS.WILTON-ASSOCIATES.COM@NEUHAUS.WILTON-ASSOCIATES.COM
root/admin@NEUHAUS.WILTON-ASSOCIATES.COM
and when I do "kinit" on my client it authenticates me as:
bwjenkins@NEUHAUS.WILTON-ASSOCIATES.COM
and when I do a "klist" I see something like the following:
Credentials cache: C:\[snip]...\krb5cc_Administrator
Default principal: bwjenkins@NEUHAUS.WILTON-ASSOCIATES.COM, 1 entry found.
[1] Service Principal: krbtgt/NEUHAUS.WILTON-ASSOCIATES.COM@NEUHAUS.WILTON-ASSOCIATES.COM
Valid starting: Aug 27, 2003 16:19
Expires: Aug 28, 2003 02:19
But after the "Expires" date, the SUN ref impl still uses these stored credentials. Any ideas...?
bauhaus9