Java Keytab中的Kerberos用户主体和带有JAAS的KDC
我正在构建一个简单的Jaas登录模块。这将使用以下代码:Java Keytab中的Kerberos用户主体和带有JAAS的KDC,java,kerberos,jaas,Java,Kerberos,Jaas,我正在构建一个简单的Jaas登录模块。这将使用以下代码: public class Jaas { private static String name; private static final boolean verbose = false; public static void main(String[] args) throws Exception { if (args.length > 0) { name = arg
public class Jaas {
private static String name;
private static final boolean verbose = false;
public static void main(String[] args) throws Exception {
if (args.length > 0) {
name = args[0];
} else {
name = "client";
}
// Create action to perform
PrivilegedExceptionAction action = new MyAction();
loginAndAction(name, action);
}
static void loginAndAction(String name, PrivilegedExceptionAction action)
throws LoginException, PrivilegedActionException {
// Create a callback handler
CallbackHandler callbackHandler = new TextCallbackHandler();
LoginContext context = null;
try {
// Create a LoginContext with a callback handler
context = new LoginContext(name, callbackHandler);
// Perform authentication
context.login();
} catch (LoginException e) {
System.err.println("Login failed");
e.printStackTrace();
System.exit(-1);
}
// Perform action as authenticated user
Subject subject = context.getSubject();
if (verbose) {
System.out.println(subject.toString());
} else {
System.out.println("Authenticated principal: " +
subject.getPrincipals());
}
Subject.doAs(subject, action);
context.logout();
}
// Action to perform
static class MyAction implements PrivilegedExceptionAction {
MyAction() {
}
public Object run() throws Exception {
// Replace the following with an action to be performed
// by authenticated user
System.out.println("Performing secure action ...");
return null;
}
}
}
这是通过以下方式运行的:
java -Djava.security.auth.login.config=jaas-krb5.conf Jaas client
jaas-krb5:
client{
com.sun.security.auth.module.Krb5LoginModule required
principal="name@Host.COM";
};
server{
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
KeyTab=myKeyTab.keytab
principal="host.name.com";
};
在myKeyTab中,我们有以下原则:
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 4 name@Host.COM
因此,我已经编译并运行了,但在登录时,我总是会收到一个错误:
Kerberos password for name@Host.COM: //I enter the password
Login failed
使用stacktrace:
javax.security.auth.login.LoginException: Cannot get kdc for realm Host.COM
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at Jaas.loginAndAction(Jaas.java:77)
at Jaas.main(Jaas.java:61)
Caused by: KrbException: Cannot get kdc for realm Host.COM
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:195)
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:174)
at sun.security.krb5.KrbAsReq.send(KrbAsReq.java:431)
at sun.security.krb5.Credentials.sendASRequest(Credentials.java:400)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:350)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
我的问题是:
我想我对KDC/Keytab和用户条目之间发生的事情有一个基本的误解。我的理解是,主体是验证的对象,如果是,我如何输入新主体并分配密码
我的目标是简单地将一个测试主体添加到keytab中,并将其用于运行此登录脚本。看起来您做出了一个错误的假设 主体是用户名+Kerberos域(或active directory域)。这可能与DNS域的值相同,也可能不同。但从根本上说,它们是完全不同的东西。在您的特定情况下,您的kerberos领域似乎是
intranet.barcapint.com
。但是,您的keytab包含name@host.com
。由于这个原因,Jaas Kerberos客户端会忽略键表中的内容,并返回到默认的领域解析。而且您的领域到域的映射似乎被破坏了,所以它找不到KDC,并且由于上面的错误而失败。因此,您得到了内部异常
要修复上述所有问题,首先需要修复域到领域的映射。如何做到这一点取决于操作系统。在Unix系统上,您应该检查Windows上的/etc/krb5.conf
,它是c:\Windows\krb5.ini
。但它可能在别的地方。查看更多信息
另一件事是,对于无人值守的服务器,您只需要键盘。这只是存储kerberos密钥的方便方法。我建议首先让服务器和客户机像上面那样使用textcallback工作。一旦您得到了这个,您就可以继续为服务器使用keytab了