Bug 1968485

Summary: OpenJDK kerberos implementation lacks behind in terms of modern features/standards
Product: Red Hat Enterprise Linux 9 Reporter: zzambers
Component: java-11-openjdkAssignee: Martin Balao <mbalao>
Status: CLOSED WONTFIX QA Contact: OpenJDK QA <java-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: fdvorak, mbalao, ssorce
Target Milestone: betaKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-07 07:27:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description zzambers 2021-06-07 13:08:05 UTC 
OpenJDK kerberos implementation lacks behind in terms of modern features/standards. This problem was voiced by kerberos folks in other bug [1].

Lack of support for these was mentioned:
- support modern ccache types (KCM, the default in RHEL 8+, or KEYRING, the default in RHEL 7)
- modern preauth methods (SPAKE)
- futureproof encryption types (AES-SHA2)
- Microsoft compatibility (like NegoEx)

This bug was created to evaluate/discuss this problem.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1966204#c26
Comment 2 zzambers 2021-06-07 14:03:03 UTC 
@rharwood could you please comment on severenity/priority here? I mean, are we talking mostly about "nice to have" features or are (some of) these urgent in a way, they could (or are known to) cause kerberos to no longer work with Openjdk in the (near) feature?
Comment 3 Robbie Harwood 2021-06-07 18:48:41 UTC 
That's really up to you, and how much you want to be compatible.  For maximum compatibility, switch the default to use krb5 (I think this can be done with sun.security.jgss.native today).

The biggest missing thing is probably ccache types.  If memory serves, the pure-java implementation only supports FILE (and possibly DIR).  The RHEL 8+ default is KCM, and people use KEYRING as well since it's the default in RHEL 7 and serves a different use case.
Comment 6 RHEL Program Management 2022-12-07 07:27:53 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.