2

I have a Java API that talks to the Kerberos server and performs various operations. As of now, my API requests for non-renewable tickets to the Kerberos server. From what I understand, the jaas config file has an option to set the renewTGT option to true so that a renewable ticket can be issued. However, Jaas seems to have a lot of restrictions on setting the "renewUntil" time. Can anyone please tell me how we can request for arenewable ticket and also control its renewability? Basically, is there a way we can perform a Java equivalent of the operation : kinit -R ? Thanks in advance.

j08691
  • 204,283
  • 31
  • 260
  • 272
user2690793
  • 21
  • 2
  • Actually, the `renewTGT` should do. Why don't you enable logging and use Wirshark to see what Java really does? – Michael-O Aug 18 '13 at 07:51
  • Thanks Michael. I did enable logging and I tried capturing the request/response using wireshark. The ticket being requested for is a non-renewable one even after setting renewTGT to true. Is there any other configuration that needs to be performed ? – user2690793 Aug 20 '13 at 17:36
  • This may be a setting in your KDC. Ask your admin for that. – Michael-O Aug 20 '13 at 18:25
  • As of As of JDK7 (1.7.0_55) `renewTGT` is only available when `useTicketCache=true`, and then only applies to tickets fetched from the (native) ticket cache. This implies that you have used something like `kinit` or a Windows login to obtain the ticket, and does the equivalent of `kinit -R`. Per my answer below, there is currently no way of obtaining renewable tickets and having those renewed with JAAS-obtained tickets. – javabrett Sep 08 '14 at 00:42

1 Answers1

4

As of JDK7 (1.7.0_55), JAAS Krb5LoginModule does not provide any option to request a renewable TGT when authenticating, so this is not currently possible using JAAS. You might be able to achieve this, but you would need to use the internal Kerberos classes directly, bypassing JAAS.

Internally, Krb5LoginModule instantiates a sun.security.krb5.KrbAsReqBuilder to obtain credentials using either a provided password, or a keyTab. KrbAsReqBuilder has a setOptions(KDCOptions options) method, but this is not called in the login module. If it could be accessed, you could call KDCOptions#set(KDCOptions.RENEWABLE, true), and I would then expect the returned ticket to be renewable, if the KDC is configured to allow renewable tickets.

javabrett
  • 7,020
  • 4
  • 51
  • 73