0

我尝试运行显示 Login-Dialog 并在 Kerberos 上登录的 OpenWebStart 应用程序。我得到“校验和失败”异常(见下文)。我在 VM (Centos7) 和 Kerberos 日志中运行 KDC,我看到 TGT 已成功创建:

Kerberos.kalna.ch krb5kdc[1132](Information): AS_REQ (6 etypes {18 17 16 23 1 3} 192.168.56.1: ISSUE authtime 1583736176 , etypes {rep=18 tkt=18 ses=18}, kada@KALNA.CH for krbtgt/KALNA.CH@KALNA.CH

Kerberos 配置如下(kdc.conf):

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 KALNA.CH = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

并且在客户端上是以下配置(krb5.conf):

[libdefaults]
forwardable = true
default_realm = KALNA.CH
udp_preference_limit = 1
kdc_timeout = 2000
allow_weak_crypto = true

[realms]
KALNA.CH = {
    kdc = Kerberos.kalna.ch
    default_domain = kalna.ch
}

[domain_realm]
 .kalna.ch = KALNA.CH
 kalna.ch = KALNA.CH

通过调试,我可以看到 TGT 很受欢迎,但随后执行校验和并失败。我曾尝试使用无限强度策略,但这并没有帮助。知道为什么校验和失败了吗?

任何帮助深表感谢。以下是 OpenWebStart 日志:

Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false Refreshing Kerberos configuration 
    ... 30 more 
    at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100) 
    at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76) 
    at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272) 
    at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451) 
Caused by: java.security.GeneralSecurityException: Checksum failed 
    ... 23 more 
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:770) 
    at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:447) 
    at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:310) 
    at sun.security.krb5.KrbAsRep.decryptUsingPassword(KrbAsRep.java:139) 
    at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:150) 
    at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175) 
    at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94) 
    at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102) 
Caused by: KrbException: Checksum failed 
    at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:650) 
    at net.sourceforge.jnlp.Launcher.access$200(Launcher.java:69) 
    at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:400) 
    at java.lang.reflect.Method.invoke(Method.java:498) 
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
    at javax.security.auth.login.LoginContext.login(LoginContext.java:587) 
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) 
    at java.security.AccessController.doPrivileged(Native Method) 
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) 
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) 
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) 
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) 
    at java.lang.reflect.Method.invoke(Method.java:498) 
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:618) 
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:808) 
javax.security.auth.login.LoginException: Checksum failed 
        [Krb5LoginModule] authentication failed Checksum failed 
Mon Mar 09 07:42:56 CET 2020 [DEBUG  ] com.openwebstart.proxy.direct.DirectProxyProvider: Using NO_PROXY 

        [Krb5LoginModule] user entered username: kada@KALNA.CH
4

1 回答 1

0

我已经调试了 KrbAsRep.java,你是对的,KDC 发送以下 pAData。然后根据这些计算 Salt。但我不明白为什么会失败。

0 = {PAData@4691} ">>>Pre-Authentication Data:\n\t PA-DATA type = 19\n\t PA-ETYPE-INFO2 etype = 23, salt = KALNA.CHkada, s2kparams = null\n"
1 = {PAData@4692} ">>>Pre-Authentication Data:\n\t PA-DATA type = 3\n"
2 = {PAData@4693} ">>>Pre-Authentication Data:\n\t PA-DATA type = 11\n\t PA-ETYPE-INFO etype = 23, salt = KALNA.CHkada\n"
于 2020-03-10T09:28:00.810 回答