11:02 a.m.
[
https://issues.jboss.org/browse/WFCORE-2892?page=com.atlassian.jira.plugi...
]
Darran Lofthouse resolved WFCORE-2892.
--------------------------------------
Resolution: Cannot Reproduce Bug
Resolving as I can not reproduce this.
My configuration is: -
<system-properties>
<property name="sun.security.krb5.debug" value="true"/>
<property name="java.security.krb5.realm"
value="ELYTRON.ORG"/>
<property name="java.security.krb5.kdc"
value="kdc.elytron.org"/>
</system-properties>
<security-realm name="ManagementRealm">
<server-identities>
<kerberos>
<keytab
principal="remote/test-server.elytron.org(a)ELYTRON.ORG"
path="/home/darranl/src/kerberos/remote-test-server.keytab"
debug="true"/>
</kerberos>
</server-identities>
<authentication>
<local default-user="$local"/>
<kerberos remove-realm="true"/>
<properties path="mgmt-users.properties"
relative-to="jboss.server.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties"
relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
I use the following command to execute the CLI: -
./jboss-cli.sh --controller=test-server.elytron.org -Djava.security.krb5.realm=ELYTRON.ORG
-Djava.security.krb5.kdc=kdc.elytron.org -Dsun.security.krb5.debug=true
-Djavax.security.auth.useSubjectCredsOnly=false --no-local-auth --user=darranl
--password=password1!
Where the principal is invalid on the Kerberos identity then Kerberos authentication is
successful when the CLI connects, when the principal is invalid then Digest authentication
is successful.
Regression in legacy security in DR17, Kerberos for CLI
--------------------------------------------------------
Key: WFCORE-2892
URL: https://issues.jboss.org/browse/WFCORE-2892
Project: WildFly Core
Issue Type: Bug
Components: Security
Affects Versions: 3.0.0.Beta23
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Priority: Blocker
Fix For: 3.0.0.Beta27
User impact: User relying on fallback authentication mechanism in case of Kerberos
can't.
This worked well in DR16.
When GSSAPI mechanism fails other mechanism e.g. PLAIN doesn't occure.
{code:title=server.log}
14:47:03,078 TRACE [org.wildfly.security] (management I/O-2) Handling
MechanismInformationCallback type='SASL' name='GSSAPI'
host-name='localhost.localdomain' protocol='remote'
14:47:03,078 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2)
configuredMaxReceiveBuffer=16777215
14:47:03,078 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2)
relaxComplianceChecks=false
14:47:03,078 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2)
QOP={AUTH}
14:47:03,078 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) Obtaining
GSSCredential for the service from callback handler...
14:47:03,078 TRACE [org.jboss.as.domain.management.security] (management I/O-2) Selected
KeytabService with principal 'remote/localhost.localdomain(a)WRONG_REALM.ORG' for
host 'localhost.localdomain'
14:47:03,079 INFO [stdout] (management I/O-2) Debug is true storeKey true
useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator
false KeyTab is
/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab
refreshKrb5Config is false principal is remote/localhost.localdomain(a)WRONG_REALM.ORG
tryFirstPass is false useFirstPass is false storePass is false clearPass is false
14:47:03,079 INFO [stdout] (management I/O-2) principal is
remote/localhost.localdomain(a)WRONG_REALM.ORG
14:47:03,079 INFO [stdout] (management I/O-2) Will use keytab
14:47:03,079 INFO [stdout] (management I/O-2) Commit Succeeded
14:47:03,079 INFO [stdout] (management I/O-2)
14:47:03,079 INFO [stdout] (management I/O-2) Found KeyTab
/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab
for remote/localhost.localdomain(a)WRONG_REALM.ORG
14:47:03,080 INFO [stdout] (management I/O-2) Found KeyTab
/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab
for remote/localhost.localdomain(a)WRONG_REALM.ORG
14:47:03,080 INFO [stdout] (management I/O-2) Found KeyTab
/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab
for remote/localhost.localdomain(a)WRONG_REALM.ORG
14:47:03,080 INFO [stdout] (management I/O-2) Found KeyTab
/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab
for remote/localhost.localdomain(a)WRONG_REALM.ORG
14:47:03,080 TRACE [org.wildfly.security] (management I/O-2) Handling
ServerCredentialCallback: successfully obtained credential type type=class
org.wildfly.security.credential.GSSKerberosCredential, algorithm=null, params=null
14:47:03,080 TRACE [org.jboss.remoting.endpoint] (management I/O-2) Allocated tick to 9
of endpoint "localhost:MANAGEMENT" <15985cc1> (opened
org.jboss.remoting3.EndpointImpl$TrackingExecutor@211c95d4)
14:47:03,081 INFO [stdout] (management task-6) Entered Krb5Context.acceptSecContext with
state=STATE_NEW
14:47:03,082 INFO [stdout] (management task-6) Looking for keys for:
remote/localhost.localdomain(a)WRONG_REALM.ORG
14:47:03,083 TRACE [org.jboss.remoting.remote.server] (management task-6) Server sending
authentication rejected: javax.security.sasl.SaslException: ELY05031: [GSSAPI] Unable to
accept SASL client message [Caused by GSSException: Failure unspecified at GSS-API level
(Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt
AP REP - AES128 CTS mode with HMAC SHA1-96)]
at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateMessage(GssapiServer.java:152)
at
org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
at
org.wildfly.security.sasl.gssapi.GssapiServer.evaluateResponse(GssapiServer.java:121)
at
org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
at
org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
at
org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
at
org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:467)
at
org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:891)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid
argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES128 CTS mode
with HMAC SHA1-96)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateMessage(GssapiServer.java:131)
... 12 more
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to
decrypt AP REP - AES128 CTS mode with HMAC SHA1-96
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
at
sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
... 15 more
14:47:03,083 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-6) dispose
14:47:03,083 TRACE [org.wildfly.security] (management task-6) Handling
AuthenticationCompleteCallback: fail
14:47:03,084 TRACE [org.jboss.remoting.endpoint] (management task-6) Resource closed
count 00000008 of endpoint "localhost:MANAGEMENT" <15985cc1> (closed
org.jboss.remoting3.EndpointImpl$TrackingExecutor@211c95d4)
14:47:03,084 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 5
bytes
14:47:03,084 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed
channel
14:47:03,084 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Shut down
writes on channel
14:47:03,086 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers
in queue for message header
14:47:03,086 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated
fresh buffers
14:47:03,086 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received
EOF
14:47:03,087 TRACE [org.jboss.remoting.remote] (management I/O-2) Received connection
end-of-stream
14:47:03,108 INFO [org.jboss.eapqe.krbldap.eap7.utils.CustomCLIExecutor] (main) CLI
executor output:
14:47:03,109 INFO [org.jboss.eapqe.krbldap.eap7.utils.CustomCLIExecutor] (main) Java
config name:
/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb5-1708048015373854835.conf
Loaded from Java config
>>>KinitOptions cache name is
/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb5cc
>>>DEBUG <CCacheInputStream> client principal is
hnelson30d3d46a-214b-4b2d-903e-c484ebab7908(a)JBOSS.ORG
>>>DEBUG <CCacheInputStream> server principal is
krbtgt/JBOSS.ORG(a)JBOSS.ORG
>>>DEBUG <CCacheInputStream> key type: 17
>>>DEBUG <CCacheInputStream> auth time: Tue May 02 14:46:23 CEST 2017
>>>DEBUG <CCacheInputStream> start time: Tue May 02 14:46:23 CEST 2017
>>>DEBUG <CCacheInputStream> end time: Tue May 02 22:46:23 CEST 2017
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH;
Found ticket for hnelson30d3d46a-214b-4b2d-903e-c484ebab7908(a)JBOSS.ORG to go to
krbtgt/JBOSS.ORG(a)JBOSS.ORG expiring on Tue May 02 22:46:23 CEST 2017
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 17.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KdcAccessibility: reset
>>> KrbKdcReq send: kdc=localhost.localdomain UDP:6088, timeout=5000, number of
retries =3, #bytes=648
>>> KDCCommunication: kdc=localhost.localdomain UDP:6088, timeout=5000,Attempt
=1, #bytes=648
>>> KrbKdcReq send: #bytes read=634
>>> KdcAccessibility: remove localhost.localdomain:6088
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 23519002
Krb5Context setting peerSeqNumber to: 0
Created InitSecContextToken:
0000: 01 00 6E 82 02 2C 30 82 02 28 A0 03 02 01 05 A1 ..n..,0..(......
0010: 03 02 01 0E A2 07 03 05 00 00 00 00 00 A3 82 01 ................
0020: 2C 61 82 01 28 30 82 01 24 A0 03 02 01 05 A1 0B ,a..(0..$.......
0030: 1B 09 4A 42 4F 53 53 2E 4F 52 47 A2 2A 30 28 A0 ..JBOSS.ORG.*0(.
0040: 03 02 01 00 A1 21 30 1F 1B 06 72 65 6D 6F 74 65 .....!0...remote
0050: 1B 15 6C 6F 63 61 6C 68 6F 73 74 2E 6C 6F 63 61 ..localhost.loca
0060: 6C 64 6F 6D 61 69 6E A3 81 E3 30 81 E0 A0 03 02 ldomain...0.....
0070: 01 11 A2 81 D8 04 81 D5 6B C5 1A F4 8B 3A B3 7B ........k....:..
0080: AE 21 B6 7C 76 DA 7F 42 F7 74 77 08 B1 47 5E 91 .!..v..B.tw..G^.
0090: 2D 93 54 AA FF 8B A2 A3 F4 ED E4 20 58 8F 1D 3A -.T........ X..:
00A0: 11 1D E7 26 86 BF 70 A9 64 F2 D4 B6 E5 5A 7B 6D ...&..p.d....Z.m
00B0: D4 4A 47 C3 7E A8 40 8F 6A CE B1 B0 E4 8C 00 CC .JG...@.j.......
00C0: AD D0 30 23 D7 A2 6D 55 58 32 9C 0E 4D 48 78 62 ..0#..mUX2..MHxb
00D0: 7C BD C5 64 05 A4 2A F1 A7 D9 29 C2 78 F5 A0 E8 ...d..*...).x...
00E0: C3 24 77 34 C0 6A 70 27 42 20 47 EA E8 BE 7A 1C .$w4.jp'B G...z.
00F0: 72 3A AB 01 E9 5B 71 7A 86 AE E8 D8 00 94 17 2F r:...[qz......./
0100: 3F 8F 62 FC 58 4B 27 86 24 78 B9 97 71 1B E4 ED ?.b.XK'.$x..q...
0110: 93 A5 8F 1C 1B 7A 31 17 E4 E5 90 2A 02 88 22 39 .....z1....*.."9
0120: 9D B9 48 05 89 A2 8D F6 4F E7 29 C6 75 CE 2A EB ..H.....O.).u.*.
0130: A4 EB 60 C7 DA 26 AB 75 17 8C 9E 0B 55 A6 69 5B ..`..&.u....U.i[
0140: 53 DF 41 F7 E0 48 01 53 44 F3 8A 8F 5A A4 81 E2 S.A..H.SD...Z...
0150: 30 81 DF A0 03 02 01 11 A2 81 D7 04 81 D4 F2 C9 0...............
0160: 95 00 E1 89 EB 9F AF 03 DB 8E 9C 9B F5 FF E4 AF ................
0170: BD AB 4C FA 87 FD 87 B4 0B C8 21 53 7C A2 D9 07 ..L.......!S....
0180: 0D 63 D5 EA 76 D4 30 C4 17 ED 1D 90 6B 46 20 BE .c..v.0.....kF .
0190: 28 C0 02 87 7D D8 EC 21 0F 50 FC 39 D7 0B AD C3 (......!.P.9....
01A0: 07 10 7A F4 79 71 0E 59 5C 8D 55 D6 71 54 4B 35 ..z.yq.Y\.U.qTK5
01B0: EE E7 33 87 BD 21 78 79 76 49 DF FA 17 CA 5A B2 ..3..!xyvI....Z.
01C0: A6 72 4C 6B E2 CB A6 8F 2E 8B 1B F4 DD 41 4D 85 .rLk.........AM.
01D0: 5D 9A 92 5A 90 EB 2F 80 7A 02 F4 05 9A 54 1D D5 ]..Z../.z....T..
01E0: 0F 04 12 53 29 1D A1 D3 5B 08 E4 FA 75 F0 AE 2E ...S)...[...u...
01F0: F6 07 0E 44 BD F2 6C 0F 3F 95 14 D6 75 2F 12 08 ...D..l.?...u/..
0200: 0E F5 6E B9 CB 28 6A 5C 51 7E 4F 9D E0 2F 18 1C ..n..(j\Q.O../..
0210: 0D 0D 18 AA 31 FE 8E D2 42 AD CA 62 B1 EF 69 9D ....1...B..b..i.
0220: 88 82 57 36 58 B2 72 CF 35 54 B1 BE 9B 57 10 F5 ..W6X.r.5T...W..
0230: 2C FF ,.
Failed to connect to the controller: The controller is not available at
localhost.localdomain:9990: java.net.ConnectException: WFLYPRT0053: Could not connect to
remote+http://localhost.localdomain:9990. The connection failed: WFLYPRT0053: Could not
connect to remote+http://localhost.localdomain:9990. The connection failed: JBREM000202:
Abrupt close on Remoting connection 79a3d728 to localhost.localdomain/127.0.0.1:9990 of
endpoint "cli-client" <24aed80c>
{code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
3242
days inactive
3242
days old
0 comments
1 participants
participants (1)
-
Darran Lofthouse (JIRA)