Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-1091

Kerberos authentication for remoting on hostname which contains uppercase letter

XMLWordPrintable

    • Hide
      • On system which contains Upper case letter host name. E.g. locally edit /etc/hostname, /etc/hosts to localhost.Localdomain
        • CLI
          • Setup CLI secured with Kerberos to use lowercase host
                        <security-realm name="KerberosSecurityRealm">
                            <server-identities>
                                <kerberos>
                                    <keytab principal="remote/localhost.localdomain@JBOSS.ORG" path="/path/to/krb.keytab"/>
                                </kerberos>
                            </server-identities>
                            <authentication>
                                <kerberos/>
                            </authentication>
                        </security-realm>
            
          • start eap
          • try to access cli
        • EJB
          • setup remoting subsystem secured with kerberos realm to use lowercase host
                    <subsystem xmlns="urn:jboss:domain:remoting:3.0">
                        <endpoint/>
                        <http-connector name="http-remoting-connector" connector-ref="default" security-realm="TestKerberosRealm"/>
                    </subsystem>
                    <security-realm name="TestKerberosRealm">
                        <server-identities>
                            <kerberos>
                            <keytab principal="remote/localhost.localdomain@JBOSS.ORG" path="/path/to/krb.keytab" debug="true"/>
                            </kerberos>
                       </server-identities>
                       <authentication>
                           <kerberos/>
                       </authentication>
                   </security-realm>
            
          • deploy app with ejb, start eap
          • try to access deloyment
      • Both scenarios leads to log messages as
        ^[[0m17:28:56,922 TRACE [org.jboss.as.domain.management.security] (default I/O-3) No mapping for name 'remote/localhost.Localdomain' to KeytabService, attempting to use host only match.
        ^[[0m17:28:56,922 TRACE [org.jboss.as.domain.management.security] (default I/O-3) No mapping for host 'localhost.Localdomain' to KeytabService, attempting to use default.
        ^[[0m17:28:56,922 TRACE [org.jboss.as.domain.management.security] (default I/O-3) No KeytabService available for host 'localhost.Localdomain' unable to return SubjectIdentity.
        
      Show
      On system which contains Upper case letter host name. E.g. locally edit /etc/hostname, /etc/hosts to localhost.Localdomain CLI Setup CLI secured with Kerberos to use lowercase host <security-realm name= "KerberosSecurityRealm" > <server-identities> <kerberos> <keytab principal= "remote/localhost.localdomain@JBOSS.ORG" path= "/path/to/krb.keytab" /> </kerberos> </server-identities> <authentication> <kerberos/> </authentication> </security-realm> start eap try to access cli EJB setup remoting subsystem secured with kerberos realm to use lowercase host <subsystem xmlns= "urn:jboss:domain:remoting:3.0" > <endpoint/> <http-connector name= "http-remoting-connector" connector-ref= "default" security-realm= "TestKerberosRealm" /> </subsystem> <security-realm name= "TestKerberosRealm" > <server-identities> <kerberos> <keytab principal= "remote/localhost.localdomain@JBOSS.ORG" path= "/path/to/krb.keytab" debug= "true" /> </kerberos> </server-identities> <authentication> <kerberos/> </authentication> </security-realm> deploy app with ejb, start eap try to access deloyment Both scenarios leads to log messages as ^[[0m17:28:56,922 TRACE [org.jboss.as.domain.management.security] (default I/O-3) No mapping for name 'remote/localhost.Localdomain' to KeytabService, attempting to use host only match. ^[[0m17:28:56,922 TRACE [org.jboss.as.domain.management.security] (default I/O-3) No mapping for host 'localhost.Localdomain' to KeytabService, attempting to use default. ^[[0m17:28:56,922 TRACE [org.jboss.as.domain.management.security] (default I/O-3) No KeytabService available for host 'localhost.Localdomain' unable to return SubjectIdentity.

      When EAP runs on server, which contains upper case in hostname (e.g. localhost.Localdomain), it is unpossible to make kerberos authentication in remoting to work properly.
      JDK constructs TGT-REQ with lower case hostname. But remoting client create connection to EAP with upper case letters, what cause problems.

      RFC4120 "The Kerberos Network Authentication Service" [1] in chapter "6.2.1. Name of Server Principals" requires Where the name of the host is not case sensitive (for example, with Internet domain names) the name of the host MUST be lowercase.

      Based on information from RFC, IMHO, EAP should handle such scenario. Either remoting client should send lowercase hostname or security realm should map principal case insensitively and look for lower-case keytab record, e.g. remote/localhost.localdomain.

      [1] https://www.ietf.org/rfc/rfc4120.txt

              rhn-engineering-lgao Lin Gao
              mchoma@redhat.com Martin Choma
              Martin Choma Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: