Krb5LoginModule 接受有效用户的任何密码

tag-icon tag-icon active-directory java kerberos jaas
Krb5LoginModule 接受有效用户的任何密码

我们的jaas.config解读很简单:

Our_Kerberos {
        com.sun.security.auth.module.Krb5LoginModule REQUIRED
                useTicketCache=false
                refreshKrb5Config=true;
};

早期的测试已证实,错误的密码不起作用,而正确的密码才起作用——正如人们所预料的那样。

然而,我们刚刚注意到,用户使用正确的密码登录,他(或任何其他知道其登录名的人)也可以使用错误的密码...直到应用程序重新启动...

我们在这里做错了什么?在 RedHat-7 上使用 JDK-11.0.22。Kerberos 服务器是 Active Directory...

在第一次尝试使用错误密码(未成功)时,我们在服务器上看到以下日志条目:

2024-04-17 14:49:32,175 [Thread-24 - Worker-1] console : INFO - >>> KdcAccessibility: remove wt00.prod.example.net.:88
2024-04-17 14:49:32,175 [Thread-24 - Worker-1] console : INFO - >>> KDCRep: init() encoding tag is 126 req type is 11
2024-04-17 14:49:32,175 [Thread-24 - Worker-1] console : INFO - >>>KRBError:
2024-04-17 14:49:32,175 [Thread-24 - Worker-1] console : INFO -          sTime is Wed Apr 17 14:49:32 EDT 2024 1713379772000
2024-04-17 14:49:32,175 [Thread-24 - Worker-1] console : INFO -          suSec is 954940
2024-04-17 14:49:32,175 [Thread-24 - Worker-1] console : INFO -          error code is 25
2024-04-17 14:49:32,175 [Thread-24 - Worker-1] console : INFO -          error Message is Additional pre-authentication required
2024-04-17 14:49:32,175 [Thread-24 - Worker-1] console : INFO -          sname is krbtgt/[email protected]
2024-04-17 14:49:32,175 [Thread-24 - Worker-1] console : INFO -          eData provided.
2024-04-17 14:49:32,175 [Thread-24 - Worker-1] console : INFO -          msgType is 30
2024-04-17 14:49:32,175 [Thread-24 - Worker-1] console : INFO - >>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18, salt = PROD.EXAMPLE.NETa....b, s2kparams = null

2024-04-17 14:49:32,175 [Thread-24 - Worker-1] console : INFO - >>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
2024-04-17 14:49:32,176 [Thread-24 - Worker-1] console : INFO - >>>Pre-Authentication Data:
         PA-DATA type = 16

2024-04-17 14:49:32,176 [Thread-24 - Worker-1] console : INFO - >>>Pre-Authentication Data:
         PA-DATA type = 15

2024-04-17 14:49:32,176 [Thread-24 - Worker-1] console : INFO - KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ

但是后来,一次成功登录后,后续每个日志条目都会变得短得多:

2024-04-17 14:49:53,683 [Thread-24 - Worker-1] console : INFO - Java config name: null
2024-04-17 14:49:53,683 [Thread-24 - Worker-1] console : INFO - Native config name: /etc/krb5.conf
2024-04-17 14:49:53,684 [Thread-24 - Worker-1] console : INFO - Loading krb5 profile at /etc/krb5.conf
2024-04-17 14:49:53,684 [Thread-24 - Worker-1] console : INFO - Loaded from native config
2024-04-17 14:49:53,684 [Thread-24 - Worker-1] console : INFO - >>> KdcAccessibility: reset

我们如何让它验证所提供的凭证每次

相关内容