2

I want to disable the replay cache during context establishment in Kerberos ( JGSS ) to avoid Request is a replay (34) exception. JGSS provides the method requestReplayDet() to be called on initiator side but this works only to detect replay of tokens passed after context establishment ( not during context establishment ).

In CGSS we have environment variable KRB5RCACHENAME which can be set to none but in Java GSS it doesn't work.

(Edit)Support Added in Java 8 : https://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html -> "-Dsun.security.krb5.rcache=none"

Cerberuz
  • 155
  • 2
  • 15
  • I have answered something similar already here. Please search for my Kerberos-related answers. – Michael-O Feb 28 '13 at 18:44
  • Yes, i've seen it : http://stackoverflow.com/questions/14433628/how-to-disable-kerberos-replay-cache-in-java But as already specified by me requestReplayDet() only works after context establishment. – Cerberuz Mar 01 '13 at 04:59
  • Does this make a difference? Why aren't you generating new auth token? – Michael-O Mar 01 '13 at 09:35
  • 1
    Yes, it's different. context.requestReplayDet(false) doesn't prevent the replay exception during context establishment. With several threads using the same client principal, it may happen that the replay attack detected is false positive. Generating new auth token doesn't guarantee unique timestamp with multiple threads. I want to disable replay cache and use some other custom mechanism to detect replay. – Cerberuz Mar 01 '13 at 10:35
  • Why aren't you creating one context per thread? A GSSContext is not thread-safe! – Michael-O Mar 01 '13 at 10:45
  • I am using separate context for each thread. For replay detection JGSS just checks if multiple context establishment request from a client has same timestamp in authenticator. So different contexts established using different threads using same client principal should only differ in terms of the timestamp from server point of view. – Cerberuz Mar 01 '13 at 11:20
  • Is that implemented differently in MIT or Heimdal Kerberos? – Michael-O Mar 01 '13 at 14:12
  • No but MIT kerberos provides a way to disable replay cache by setting KRB5RCACHENAME=none in environment variables. So, multiple auth requests with same timestamp are allowed. – Cerberuz Mar 01 '13 at 17:47
  • Ok, the you should raise a ticket with Oracle in the public bug database and contact security-dev mailing list from OpenJDK. This is where Oracle devs hang around. – Michael-O Mar 01 '13 at 21:43
  • Sent a mail to OpenJDK security-dev, also posted the problem in oracle forum. Looks like public bug database is only for those having support contract. – Cerberuz Mar 04 '13 at 05:25
  • Please provide a link to the mailing list entry. – Michael-O Mar 04 '13 at 08:33
  • Its being held till the moderators approval. It will appear here i guess : http://mail.openjdk.java.net/pipermail/security-dev/2013-March/date.html#start – Cerberuz Mar 04 '13 at 10:50
  • Just read Weijun's answer. Looks promising, right? – Michael-O Mar 05 '13 at 20:04
  • Yeah it looks like in future release of open-jdk it will be available. But what about sun jdk, do they follow the updates in open jdk ? – Cerberuz Mar 06 '13 at 02:35
  • You mean Oracle JDK. As far as I know, they but. What can you is put that patched code in a jar and load it from an endorsed classpath. That should work too. Did you actually say `storeKey=false` in your login module? – Michael-O Mar 06 '13 at 07:27
  • I am using storeKey=true. – Cerberuz Mar 06 '13 at 17:25
  • I haven't tried but i don't think it will work as its related to storing credentials of the subject. – Cerberuz Mar 07 '13 at 05:44
  • @Ceberuz - my requirement is similar - I need to use the same kerberos ticket received from client (in my case, browser), to be passed to multiple modules, each module verifies the ticket on its own. Currently "Request is a replay (34)" error is thrown on calling "context.acceptSecContext" twice on the same ticket. Any hints are highly appreciated. I saw your mail there, did you figure out the solution to your problem? – Bhushan Karmarkar Dec 06 '19 at 08:59
  • 1
    Set JVM Option => "-Dsun.security.krb5.rcache=none" (Java 8 - https://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html) – Cerberuz Dec 10 '19 at 06:46

0 Answers0