[jboss-jira] [JBoss JIRA] (WFLY-7991) Legacy Kerberos in management, regression in choosing keytab strategy
Martin Choma (JIRA)
issues at jboss.org
Mon Jan 30 05:35:00 EST 2017
Martin Choma created WFLY-7991:
----------------------------------
Summary: Legacy Kerberos in management, regression in choosing keytab strategy
Key: WFLY-7991
URL: https://issues.jboss.org/browse/WFLY-7991
Project: WildFly
Issue Type: Bug
Components: Security
Reporter: Martin Choma
Assignee: Darran Lofthouse
There is regresion in strategy of choosing keytab described by xsd
{code:xml|title=wildfly-config_5_0.xsd}
<xs:element name="keytab">
<xs:complexType>
<xs:annotation>
<xs:documentation>
Reference to an individual keytab.
On handling the authentication for an incoming request two pieces of information are known, the protocol and the name of the host
this server is acting as. For HTTP requests the protocol will always be HTTP, for requests over Remoting by default the protocol will
be 'remote' although this can be overridden.
At the time authentication is going to be handled the keytab will be selected as follows: -
1 - Iterate the list of keytabs and identity one where the for-hosts attribute contains an entry matching protocol/hostname.
2 - Iterate the list of keytabs and identify one where the name of the principal matches matches protocol/hostname.
3 - Iterate the list of keytabs and identity one where the for-hosts attribute contains an entry matching hostname.
4 - Iterate the list of keytabs and identify one where the hostname portion of the principal matches the hostname of the request.
5 - Use the keytab where for-hosts is set to '*'.
If no match is found no keytab will be selected and Kerberos will not be available for communication as that host.
</xs:documentation>
</xs:annotation>
{code}
In this example
{code:xml|title=standalone.xlm}
<security-realm name="PriorityForHostsProtocolBeforePrincipal">
<server-identities>
<kerberos>
<keytab principal="HTTP/localhost.localdomain at JBOSS.ORG" path="krb.keytab" for-hosts="wrongprotocol/localhost.localdomain"/>
<keytab principal="HTTP/wronghost at JBOSS.ORG" path="krb.keytab" for-hosts="HTTP/localhost.localdomain"/>
</kerberos>
{code}
Rule 1 should be applied, but {{<keytab principal="HTTP/localhost.localdomain at JBOSS.ORG" path="krb.keytab" for-hosts="wrongprotocol/localhost.localdomain"/>}} is chosen,
{code:title=server.log}
10:28:40,743 TRACE [org.jboss.as.domain.management.security] (management task-8) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
10:28:40,744 TRACE [org.jboss.as.domain.management.security] (management task-8) Selected KeytabService with principal 'HTTP/localhost.localdomain at JBOSS.ORG' for host 'localhost.localdomain'
10:28:40,744 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
10:28:40,745 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
10:28:40,745 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
10:28:40,745 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
10:28:40,847 TRACE [org.jboss.as.domain.management.security] (management task-9) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
10:28:40,848 TRACE [org.jboss.as.domain.management.security] (management task-9) Selected KeytabService with principal 'HTTP/localhost.localdomain at JBOSS.ORG' for host 'localhost.localdomain'
10:28:40,848 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
10:28:40,848 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
10:28:40,849 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
10:28:40,849 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
{code}
In this example
{code:xml|title=standalone.xlm}
<security-realm name="PriorityProtocolPrincipalBeforeForHosts">
<server-identities>
<kerberos>
<keytab principal="HTTP/localhost.localdomain at JBOSS.ORG" path="krb.keytab" for-hosts="wronghost"/>
<keytab principal="HTTP/wronghost at JBOSS.ORG" path="krb.keytab" for-hosts="localhost.localdomain"/>
</kerberos>
{code}
Rule 2 should be applied, but {{<keytab principal="HTTP/wronghost at JBOSS.ORG" path="krb.keytab" for-hosts="localhost.localdomain"/>}} is chosen
{code:title=server.log}
10:29:21,889 TRACE [org.jboss.as.domain.management.security] (management task-8) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
10:29:21,890 TRACE [org.jboss.as.domain.management.security] (management task-8) Selected KeytabService with principal 'HTTP/wronghost at JBOSS.ORG' for host 'localhost.localdomain'
10:29:21,890 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
10:29:21,890 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
10:29:21,891 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
10:29:21,891 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
10:29:21,955 TRACE [org.jboss.as.domain.management.security] (management task-9) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
10:29:21,955 TRACE [org.jboss.as.domain.management.security] (management task-9) Selected KeytabService with principal 'HTTP/wronghost at JBOSS.ORG' for host 'localhost.localdomain'
10:29:21,957 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
10:29:21,957 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
10:29:21,958 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
10:29:21,958 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
10:29:21,959 INFO [stdout] (management task-9) Entered Krb5Context.acceptSecContext with state=STATE_NEW
10:29:21,960 INFO [stdout] (management task-9) Looking for keys for: HTTP/wronghost at JBOSS.ORG
{code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list