Jaas - Request for renewable Kerberos tickets

Question

Jaas - Request for renewable Kerberos tickets

I have a Java API that talks to a Kerberos server and performs various operations. At the moment, my API is requesting non-renewable tickets to the Kerberos server. As I understand it, the jaas configuration file has the ability to set renewTGT to true so that a renewable ticket can be issued. However, Jaas seems to have a lot of restrictions on setting the "renewUntil" time. Can someone tell me how we can request an affordable ticket, as well as control its renewability? Basically, there is a way we can execute the Java equivalent of an operation: kinit -R? Thanks in advance.

0

jaas kerberos

user2690793 Aug 16 '13 at 23:03

source share

1 answer

javabrett · Answer 1 · 2014-09-03T23:50:55+0000

As with JDK7 (1.7.0_55), the JAAS Krb5LoginModule provides no way to request a renewable TGT during authentication, so this is currently not possible in JAAS. You could achieve this, but you would need to use the Kerberos inner classes directly, bypassing JAAS.

Inside Krb5LoginModule creates an instance of sun.security.krb5.KrbAsReqBuilder to retrieve credentials using either the provided password or keyTab. KrbAsReqBuilder has a setOptions(KDCOptions options) method, but this is not called in the input module. If it could be accessed, you could call KDCOptions#set(KDCOptions.RENEWABLE, true) , and I expected the return ticket to be renewed if KDC is configured to allow renewable tickets.

Jaas - Request for renewable Kerberos tickets

More articles: