Kerberos TGT From Memory
[259 byte] By [jjhusa01a] at [2007-11-27 0:09:32] 
I am rather new to Kerberos. Our workstations when logging in already have a TGT stored in memory. I have been trying to find a way to pull this information from the memory cache. Is this even possible? If so, where should I begin?Thanks!
# 1
The Java Krb5LoginModule allows to use the native in-memory Kerberos ticket.For details refer to the Java GSS programming guide: http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/lab/index.htmlSeemaSeema-1a at 2007-7-11 16:09:48 >
# 2
Thanks for the quick reply.jjhusa01a at 2007-7-11 16:09:48 >
# 3
I'm still doing something wrong. I have a simple login setup to authenticate. However, it is still prompting for my password.
I got this error:
Kerberos password for <principal>: <password>
Authentication failed:
Pre-authentication information was invalid (24) - PREAUTH_FAILED
In my client config
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
principal="<principal>";
I can add doNotPrompt=true
then I get:
Authentication failed:
Unable to obtain password from user
Message was edited by:
jjhusa01
jjhusa01a at 2007-7-11 16:09:48 >
# 4
Here is my debug
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is isInitiator true KeyTab is null refreshKrb5Config is false principal is <principal> tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is <principal>
null credentials from Ticket Cache
[Krb5LoginModule] authentication failed
Unable to obtain password from user
Authentication failed:
Unable to obtain password from user
jjhusa01a at 2007-7-11 16:09:48 >
# 5
I got it working. Apperently, It had to do with encryption. We are using Java 1.5 and it doesn't support AES256. I adjusted it to use Triple DES and it worked fine. However, I cannot read it from the PIPE cache.jjhusa01a at 2007-7-11 16:09:48 >
# 6
Sorry to bump this. But between looking for information and feeling I may have not accurately described my problem, I decided to post again. Hopefully giving a clearer picture of what I am looking at.
First, let me try to explain what I am working with.
OS: RedHat Enterprise & CentOS
Location of TGT: PIPE:#### stored in memory
Java Version: Java(TM) SE Runtime Environment (build 1.6.0_01-b06)
At log on, the PIPE is created in memory and given a four digit number. This is where the credential cache is stored. From what I understand, this most likely considered an "unnamed" pipe. Therefore, only the parent/children processes can access this. I believe this is where my problem is coming from. I need a separate Java application to access this and authenticate to use other Java applications.
I have used the examples Seema has posted. I can get it to work with only a file Ccache. I generally set the file to /tmp/krb5cc_uid. I have been able to test and authenticate this way. Again, once I move it to the PIPE, I cannot read the Ccache.
Moving this to a file is out of the question. For security reason, most likely reason I am having my problems, it must stay in this form.
Message was edited by:
jjhusa01
Message was edited by:
jjhusa01
jjhusa01a at 2007-7-11 16:09:48 >
# 7
The Java Krb5LoginModule can read Kerberos ticket following native ticket cache:- File based ticket cache- Windows in-memory ticket cache using LSA APICan you send me the details of your in-memory ticket cache on Linux ?SeemaSeema-1a at 2007-7-11 16:09:48 >
# 8
Seema,
You'll have to excuse me. My Linux/Unix programming is limited to classroom experience in which we never covered anything like this.
What information are you looking for about the ticket cache?
From what I know, its a credential cache stored in a pipe in memory.
At login a PIPE is initialized. Kinit, which is the child of kshell creates the pipe. The name of this pipe is stored in the KRB5CCNAME variable. When it was a file cache, it was "FILE:/tmp/krb5cc_uid". Now it is set to "PIPE:XXXX" where XXXX is an integer. Just for an example, we'll use 1234. In the Linux environment, KRB5CCNAME=PIPE:1234.
The PIPE will store the exact information as the krb5cc_uid file would.
I think the problem stems from the java applications are not children of the shell that created the pipe.
I can run kshell to create a new shell and kinit under that. That will setup another pipe to store my ticket.
Message was edited by:
jjhusa01
jjhusa01a at 2007-7-11 16:09:48 >
# 9
I solved my problem. I was unaware the pipe was written by an internal programmer. I have gotten in contact with him and solving my problem.jjhusa01a at 2007-7-11 16:09:48 >
Security New Topic
- JButton event listening if timer event already exists
- How to clear a line of ImageIcons like in tetris?
- Web based Image viewer.
- Point2D, setFrame, Dimension2D
- How to calculate the order of the Elliptic Curve?
- Is it possible to ristrict folder access through policy file?
- How to insert images at specific sections of a panel? Think Tetris
- error on test app
Security Hot Topic
- Freeze when minimizing full screen exclusive mode window
- Streaming server in JMF
- problem with fobs4jmf while playing various formats in JMF application
- Can I create a key and certificate using keytool ?
- displaying webcam
- how to move a figure around
- Encrypt with the RSAPublic key contained in a byte[]
- Urgent help pls: certificate based authenticaion
Security
All Classified
- Archived Forums
- Enterprise & Remote Computing
- Java Essentials
- Desktop
- Core
- Solaris Operating System
- Security
- Database Connectivity
- Java Mobility Forums
- Web & Directory Servers
- Development Tools
- Application & Integration Servers
- Java HotSpot Virtual Machine
- Other Topics
- E-Mail, Calendar, & Collaboration
- Developer Tools
- General
- Administration Tools
- Sun Hardware
- Storage Forums
- Java Enterprise System
- StarOffice
- Open Source Technologies
- BigAdmin
- Real-Time
- Java Coding