Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-27378

(7.4.z) Incorrect allow_weak_crypto value in krb5.conf file in core/testsuite/elytron

XMLWordPrintable

      I see test failures from KerberosNativeMgmtSaslTestCase in wildfly-core-eap:15.0.x branch using JDK 8:

      cd wildfly-core/testsuite/elytron
      mvn clean install -Dtest=KerberosHttpMgmtSaslTestCase,KerberosNativeMgmtSaslTestCase
      
      [🎩 lgao@lins-p1 elytron]$ java -version
      openjdk version "1.8.0_392"
      OpenJDK Runtime Environment (build 1.8.0_392-b08)
      OpenJDK 64-Bit Server VM (build 25.392-b08, mixed mode)
      
      Running org.wildfly.test.integration.elytron.sasl.mgmt.KerberosHttpMgmtSaslTestCase
      Tests run: 7, Failures: 0, Errors: 6, Skipped: 0, Time elapsed: 2.1 sec <<< FAILURE! - in org.wildfly.test.integration.elytron.sasl.mgmt.KerberosHttpMgmtSaslTestCase
      testGs2Krb5PlusWithoutSsl(org.wildfly.test.integration.elytron.sasl.mgmt.KerberosHttpMgmtSaslTestCase)  Time elapsed: 0.285 sec  <<< ERROR!
      javax.security.auth.login.LoginException: no supported default etypes for default_tkt_enctypes
      	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:810)
      	at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:618)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
      	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
      	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
      	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
      	at java.security.AccessController.doPrivileged(Native Method)
      	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
      	at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
      	at org.wildfly.test.security.common.kerberos.KerberosTestUtils.loginWithKerberos(KerberosTestUtils.java:102)
      	at org.wildfly.test.integration.elytron.sasl.mgmt.AbstractKerberosMgmtSaslTestBase.assertKerberosSaslMechFails(AbstractKerberosMgmtSaslTestBase.java:265)
      	at org.wildfly.test.integration.elytron.sasl.mgmt.AbstractKerberosMgmtSaslTestBase.testGs2Krb5PlusWithoutSsl(AbstractKerberosMgmtSaslTestBase.java:215)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
      	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
      	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
      	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
      	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
      	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78)
      	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57)
      
      

      The cause is Deprecate 3DES and RC4 in Kerberos (JDK-8139348). The RN mentions that "Users can set allow_weak_crypto = true in the krb5.conf configuration file  to re-enable" This is actually what we have already configured in https://github.com/wildfly/wildfly/blob/27.0.1.Final/testsuite/shared/src/main/resources/org/jboss/as/test/integration/security/common/krb5.conf#LL8 for our testsuite. But the value is incorrect, it should be allow_weak_crypto = true instead.

      The allow_weak_crypto attribuet is described here https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#libdefaults

      NOTE: this does not affect when using JDK11, it only occurs on JDK 8, so it does not affect EAP8.

              rhn-engineering-lgao Lin Gao
              rhn-engineering-lgao Lin Gao
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: