Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2477

Legacy Kerberos in management, regression in choosing keytab strategy

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • 3.0.0.Beta12
    • None
    • Security
    • None
    • Hide

      1. Set kerberos for management interface https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/how-to-set-up-sso-with-kerberos/#configure-krb-management-interfaces
      2. Configure for-hosts attribute

      standalone.xlm
                  <security-realm name="PriorityForHostsProtocolBeforePrincipal">
                      <server-identities>
                          <kerberos>
                              <keytab principal="HTTP/localhost.localdomain@JBOSS.ORG" path="krb.keytab" for-hosts="wrongprotocol/localhost.localdomain"/>
                              <keytab principal="HTTP/wronghost@JBOSS.ORG" path="krb.keytab" for-hosts="HTTP/localhost.localdomain"/>
                          </kerberos>
      

      3. <keytab principal="HTTP/wronghost@JBOSS.ORG" path="krb.keytab" for-hosts="HTTP/localhost.localdomain"/> should be chosen but <keytab principal="HTTP/wronghost@JBOSS.ORG" path="krb.keytab" for-hosts="HTTP/localhost.localdomain"/> is.

      Show
      1. Set kerberos for management interface https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/how-to-set-up-sso-with-kerberos/#configure-krb-management-interfaces 2. Configure for-hosts attribute standalone.xlm <security-realm name= "PriorityForHostsProtocolBeforePrincipal" > <server-identities> <kerberos> <keytab principal= "HTTP/localhost.localdomain@JBOSS.ORG" path= "krb.keytab" for-hosts= "wrongprotocol/localhost.localdomain" /> <keytab principal= "HTTP/wronghost@JBOSS.ORG" path= "krb.keytab" for-hosts= "HTTP/localhost.localdomain" /> </kerberos> 3. <keytab principal="HTTP/wronghost@JBOSS.ORG" path="krb.keytab" for-hosts="HTTP/localhost.localdomain"/> should be chosen but <keytab principal="HTTP/wronghost@JBOSS.ORG" path="krb.keytab" for-hosts="HTTP/localhost.localdomain"/> is.

      There is regresion in strategy of choosing keytab described by xsd

      wildfly-config_5_0.xsd
                  <xs:element name="keytab">
                      <xs:complexType>
                          <xs:annotation>
                              <xs:documentation>
                                  Reference to an individual keytab.
      
                                  On handling the authentication for an incoming request two pieces of information are known, the protocol and the name of the host
                                  this server is acting as.  For HTTP requests the protocol will always be HTTP, for requests over Remoting by default the protocol will
                                  be 'remote' although this can be overridden.
      
                                  At the time authentication is going to be handled the keytab will be selected as follows: -
                                   1 - Iterate the list of keytabs and identity one where the for-hosts attribute contains an entry matching protocol/hostname.
                                   2 - Iterate the list of keytabs and identify one where the name of the principal matches matches protocol/hostname.
                                   3 - Iterate the list of keytabs and identity one where the for-hosts attribute contains an entry matching hostname.
                                   4 - Iterate the list of keytabs and identify one where the hostname portion of the principal matches the hostname of the request.
                                   5 - Use the keytab where for-hosts is set to '*'.
      
                                  If no match is found no keytab will be selected and Kerberos will not be available for communication as that host.
                              </xs:documentation>
                          </xs:annotation>
      

      In this example

      standalone.xlm
                  <security-realm name="PriorityForHostsProtocolBeforePrincipal">
                      <server-identities>
                          <kerberos>
                              <keytab principal="HTTP/localhost.localdomain@JBOSS.ORG" path="krb.keytab" for-hosts="wrongprotocol/localhost.localdomain"/>
                              <keytab principal="HTTP/wronghost@JBOSS.ORG" path="krb.keytab" for-hosts="HTTP/localhost.localdomain"/>
                          </kerberos>
      

      Rule 1 should be applied, but <keytab principal="HTTP/localhost.localdomain@JBOSS.ORG" path="krb.keytab" for-hosts="wrongprotocol/localhost.localdomain"/> is chosen,

      server.log
      10:28:40,743 TRACE [org.jboss.as.domain.management.security] (management task-8) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
      10:28:40,744 TRACE [org.jboss.as.domain.management.security] (management task-8) Selected KeytabService with principal 'HTTP/localhost.localdomain@JBOSS.ORG' for host 'localhost.localdomain'
      10:28:40,744 INFO  [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain@JBOSS.ORG
      10:28:40,745 INFO  [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain@JBOSS.ORG
      10:28:40,745 INFO  [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain@JBOSS.ORG
      10:28:40,745 INFO  [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain@JBOSS.ORG
      10:28:40,847 TRACE [org.jboss.as.domain.management.security] (management task-9) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
      10:28:40,848 TRACE [org.jboss.as.domain.management.security] (management task-9) Selected KeytabService with principal 'HTTP/localhost.localdomain@JBOSS.ORG' for host 'localhost.localdomain'
      10:28:40,848 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain@JBOSS.ORG
      10:28:40,848 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain@JBOSS.ORG
      10:28:40,849 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain@JBOSS.ORG
      10:28:40,849 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain@JBOSS.ORG
      

      In this example

      standalone.xlm
                  <security-realm name="PriorityProtocolPrincipalBeforeForHosts">
                      <server-identities>
                          <kerberos>
                              <keytab principal="HTTP/localhost.localdomain@JBOSS.ORG" path="krb.keytab" for-hosts="wronghost"/>
                              <keytab principal="HTTP/wronghost@JBOSS.ORG" path="krb.keytab" for-hosts="localhost.localdomain"/>
                          </kerberos>
      

      Rule 2 should be applied, but <keytab principal="HTTP/wronghost@JBOSS.ORG" path="krb.keytab" for-hosts="localhost.localdomain"/> is chosen

      server.log
      10:29:21,889 TRACE [org.jboss.as.domain.management.security] (management task-8) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
      10:29:21,890 TRACE [org.jboss.as.domain.management.security] (management task-8) Selected KeytabService with principal 'HTTP/wronghost@JBOSS.ORG' for host 'localhost.localdomain'
      10:29:21,890 INFO  [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost@JBOSS.ORG
      10:29:21,890 INFO  [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost@JBOSS.ORG
      10:29:21,891 INFO  [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost@JBOSS.ORG
      10:29:21,891 INFO  [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost@JBOSS.ORG
      10:29:21,955 TRACE [org.jboss.as.domain.management.security] (management task-9) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
      10:29:21,955 TRACE [org.jboss.as.domain.management.security] (management task-9) Selected KeytabService with principal 'HTTP/wronghost@JBOSS.ORG' for host 'localhost.localdomain'
      10:29:21,957 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost@JBOSS.ORG
      10:29:21,957 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost@JBOSS.ORG
      10:29:21,958 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost@JBOSS.ORG
      10:29:21,958 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost@JBOSS.ORG
      10:29:21,959 INFO  [stdout] (management task-9) Entered Krb5Context.acceptSecContext with state=STATE_NEW
      10:29:21,960 INFO  [stdout] (management task-9) Looking for keys for: HTTP/wronghost@JBOSS.ORG
      

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: