Geek Answers Handbook

Using Java programs logging in several areas of Kerberos with various keytabs

For some reason, my client needs to enter two areas of the keberos. Say REALM1 and REALM2. My supervisor was signed in both areas, with two different keys created (main / host @ REALM1 with keytab1 and main / host @ REALM2 with keytab2). In other words, I can throw and list my principal against two different realms.

Now I need to run an application in which first of all I need to perform several tasks in realm1, and then other tasks that need to be done in realm2, so I need to log into realm1 first, finish some work and then log into realm2. I tried to do this by resetting the System property "java.security.krb5.conf" in the middle of my program, but could not switch from realm1 to realm2 (it was not possible when I logged in, it seemed that the default area remained the same).

I looked through and saw the corresponding response to the message (Kerberos Auth with JAAS and several areas), and I understand that keytab is associated with the area - I do not understand - I created two keys for two areas - - why they cannot enter two areas? Is this the only way to do this using cross-authentication.?

+4
source share
4 answers

Do not do this. Build trust in cross-cutting areas, and you can use your client’s original keytab to perform all tasks in the foreign field. Here we have at least 30 spheres, and my Unix machine, of course, is connected to one area. This works pretty neatly.

+3
source

In your case, you can leave by simply forcing a configuration reset before each use, using the refreshKrb5Config = true parameter in the KRB5LoginModule in JAAS login.conf (see Refresh Kerberos Configuration in JAVA without restarting the JVM ).

This will not work in a multi-threaded application, although you will have to serialize access to this share. The fact that the Java Kerberos implementation uses the properties of the System (and one configuration file) is an unnecessary limitation, possibly even an error.

The accepted answer of using cross-domain trusts may be good, sometimes, but not always. For example, if network administrators do not want ALL services to trust another domain, just this one particular service, then you are out of luck. Let's say you have a multi-threaded application written in Java and providing a service that wants to accept tickets from several areas, you would need to run one instance of this application for each domain (krb5.conf hostname is static, just change keytab and kdc). This becomes a big headache if this particular application is a web service running on port 443 using SPNEGO. Now you need two instances of the application server on different ports? Uch.

+2
source

I would recommend you check out the open source oVirt project.

Look at the java code of the oVirt mechanism and look at the bll module (ovirt-engine / backend / modules / bll) for the authentication code (see DirectorySearcher.java ) - we support logging in to several areas of keberos.

We have a tool called engine-manage-domains that allows you to add a "domain user" (which we use mainly to search for users and groups in the added domain) for the domain - for example:

You can add the user "aaa" from the domain "example.com", which is ActiveDirectory. This modifies the designated krb5.conf , which is held in /etc/ovirt-engine/krb5.conf and which uses the ovirt engine.

Look at the place in the code where we create the JAAS login object and login (we do explicit login if we don’t have a valid ticket to the area).

I think cross-authentication is the best solution, but you may run into scenarios in which you cannot create such trust. For example, in the case of oVirt, it is an open source virtualization management system and should not "interfere" or force change the settings of other systems installed in the user's organization.

0
source

I'm late to the party, but it can help other people find this question in the search.

Cross-authentication is best used, but this is not always possible. For example, you can act as a trusted third party to copy data from one organization to another, and none of them can be open to it.

The javax.security.auth.login.LoginContext class typically uses an external configuration file that can support multiple entries. This is a good approach if your devops support it, but there are many environments where this is not possible, for example, if you are deployed as a .war file on an application server. (Classic example: Your application autoscales on the AWS Elastic Beanstalk.)

In our case, we used the LoginContext constructor, which takes a Configuration object. We ourselves must store the necessary information, but we can cope with almost everything. (We can load and write our keytab file to a temporary directory and point to it in the Configuration object. Remember to destroy this file when your application exits!)

In this case, it is useful to remember that the Configuration object is a bag, and AppConfigurationEntry is information for a separate service.

Edited to add: you can specify various locations of the credential caching file (ccache) in your options. I can’t remember if the ccache files support more than one record, but that doesn’t hurt to specify different files.

0
source

More articles:


All Articles