[jboss-jira] [JBoss JIRA] (WFCORE-2477) Legacy Kerberos in management, regression in choosing keytab strategy
Darran Lofthouse (JIRA)
issues at jboss.org
Tue Mar 7 13:16:46 EST 2017
[ https://issues.jboss.org/browse/WFCORE-2477?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Darran Lofthouse moved WFLY-7991 to WFCORE-2477:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2477 (was: WFLY-7991)
Component/s: Security
(was: Security)
> Legacy Kerberos in management, regression in choosing keytab strategy
> ---------------------------------------------------------------------
>
> Key: WFCORE-2477
> URL: https://issues.jboss.org/browse/WFCORE-2477
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
>
> There is regresion in strategy of choosing keytab described by xsd
> {code:xml|title=wildfly-config_5_0.xsd}
> <xs:element name="keytab">
> <xs:complexType>
> <xs:annotation>
> <xs:documentation>
> Reference to an individual keytab.
> On handling the authentication for an incoming request two pieces of information are known, the protocol and the name of the host
> this server is acting as. For HTTP requests the protocol will always be HTTP, for requests over Remoting by default the protocol will
> be 'remote' although this can be overridden.
> At the time authentication is going to be handled the keytab will be selected as follows: -
> 1 - Iterate the list of keytabs and identity one where the for-hosts attribute contains an entry matching protocol/hostname.
> 2 - Iterate the list of keytabs and identify one where the name of the principal matches matches protocol/hostname.
> 3 - Iterate the list of keytabs and identity one where the for-hosts attribute contains an entry matching hostname.
> 4 - Iterate the list of keytabs and identify one where the hostname portion of the principal matches the hostname of the request.
> 5 - Use the keytab where for-hosts is set to '*'.
> If no match is found no keytab will be selected and Kerberos will not be available for communication as that host.
> </xs:documentation>
> </xs:annotation>
> {code}
> In this example
> {code:xml|title=standalone.xlm}
> <security-realm name="PriorityForHostsProtocolBeforePrincipal">
> <server-identities>
> <kerberos>
> <keytab principal="HTTP/localhost.localdomain at JBOSS.ORG" path="krb.keytab" for-hosts="wrongprotocol/localhost.localdomain"/>
> <keytab principal="HTTP/wronghost at JBOSS.ORG" path="krb.keytab" for-hosts="HTTP/localhost.localdomain"/>
> </kerberos>
> {code}
> Rule 1 should be applied, but {{<keytab principal="HTTP/localhost.localdomain at JBOSS.ORG" path="krb.keytab" for-hosts="wrongprotocol/localhost.localdomain"/>}} is chosen,
> {code:title=server.log}
> 10:28:40,743 TRACE [org.jboss.as.domain.management.security] (management task-8) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
> 10:28:40,744 TRACE [org.jboss.as.domain.management.security] (management task-8) Selected KeytabService with principal 'HTTP/localhost.localdomain at JBOSS.ORG' for host 'localhost.localdomain'
> 10:28:40,744 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> 10:28:40,745 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> 10:28:40,745 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> 10:28:40,745 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> 10:28:40,847 TRACE [org.jboss.as.domain.management.security] (management task-9) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
> 10:28:40,848 TRACE [org.jboss.as.domain.management.security] (management task-9) Selected KeytabService with principal 'HTTP/localhost.localdomain at JBOSS.ORG' for host 'localhost.localdomain'
> 10:28:40,848 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> 10:28:40,848 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> 10:28:40,849 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> 10:28:40,849 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> {code}
> In this example
> {code:xml|title=standalone.xlm}
> <security-realm name="PriorityProtocolPrincipalBeforeForHosts">
> <server-identities>
> <kerberos>
> <keytab principal="HTTP/localhost.localdomain at JBOSS.ORG" path="krb.keytab" for-hosts="wronghost"/>
> <keytab principal="HTTP/wronghost at JBOSS.ORG" path="krb.keytab" for-hosts="localhost.localdomain"/>
> </kerberos>
> {code}
> Rule 2 should be applied, but {{<keytab principal="HTTP/wronghost at JBOSS.ORG" path="krb.keytab" for-hosts="localhost.localdomain"/>}} is chosen
> {code:title=server.log}
> 10:29:21,889 TRACE [org.jboss.as.domain.management.security] (management task-8) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
> 10:29:21,890 TRACE [org.jboss.as.domain.management.security] (management task-8) Selected KeytabService with principal 'HTTP/wronghost at JBOSS.ORG' for host 'localhost.localdomain'
> 10:29:21,890 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
> 10:29:21,890 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
> 10:29:21,891 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
> 10:29:21,891 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
> 10:29:21,955 TRACE [org.jboss.as.domain.management.security] (management task-9) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
> 10:29:21,955 TRACE [org.jboss.as.domain.management.security] (management task-9) Selected KeytabService with principal 'HTTP/wronghost at JBOSS.ORG' for host 'localhost.localdomain'
> 10:29:21,957 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
> 10:29:21,957 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
> 10:29:21,958 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
> 10:29:21,958 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
> 10:29:21,959 INFO [stdout] (management task-9) Entered Krb5Context.acceptSecContext with state=STATE_NEW
> 10:29:21,960 INFO [stdout] (management task-9) Looking for keys for: HTTP/wronghost at JBOSS.ORG
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list