开发者

Java and Kerberos

开发者 https://www.devze.com 2023-01-17 17:37 出处:网络
I would like to compare a String to the password of the currently authenticated user (encrypted keys compa开发者_开发百科rison). It seems like retrieving password from the ticket cache but how can I d

I would like to compare a String to the password of the currently authenticated user (encrypted keys compa开发者_开发百科rison). It seems like retrieving password from the ticket cache but how can I do that?

Thank you


It is not possible to retrieve the password from information that are available on the client or anywhere in a kerberos system. According to the kerberos article in wikipedia (which holds similar information to what I read at other sources) the user entered password is hashed with a one-way function into something that serves as the secret from this point on. The secret is available at the key distribution center (KDC) and the ticket granting ticket (TGT) is symmetrically encrypted with this secret. To receive and use the TGT, a client has to provide the secret to decrypt the package - which is done by asking for the password from the user. After doing so, the TGT is decrypted and is saved in the ticket cache.

The TGT itself has parts encrypted with a secret only the kdc knows, it does not hold the password of the user. As, for example, this article from 2000 explains, the password is not stored in the ticket cache either - just parts from the TGT. From my understanding it is not possible, to check the user password using the ticket cache.

You might want to write your own CallbackHandler to somehow reuse or provide the credentials programmatically, but from my understanding this might lead to security problems.

You might want to think about solving your problem with a total different approach, but there is to little information to suggest any other solution.


I don't know if that's intended to be possible. That hash may be salted with a key known only to the server. What I'd try instead is to just authenticate using the user's id and the given String. If the server accepts the authentication request, the password was valid.

0

精彩评论

暂无评论...
验证码 换一张
取 消