Bug 1287945 - Kerberos authentication for remoting on hostname which contains uppercase letter
Kerberos authentication for remoting on hostname which contains uppercase letter
Status: CLOSED DEFERRED
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security, Remoting, Domain Management (Show other bugs)
6.4.5
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: jboss-set
Josef Cacek
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-03 00:39 EST by mchoma
Modified: 2017-02-20 09:30 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-02-20 09:30:15 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description mchoma 2015-12-03 00:39:42 EST
Description of problem:
When EAP runs on server, which contains upper case in hostname (e.g. localhost.Localdomain), it  is unpossible to make kerberos authentication in remoting to work properly.
JDK constructs TGT-REQ with lower case hostname. But remoting client create connection to EAP with upper case letters,  what cause problems.

RFC4120 "The Kerberos Network Authentication Service"  [1] in chapter "6.2.1.  Name of Server Principals" requires "Where the name of the host is not case sensitive (for example, with Internet domain names) the name of the host MUST be lowercase."

Based on information from RFC, IMHO, EAP should handle such scenario. Either remoting client should send lowercase hostname or security realm should map principal case insensitively and look for lower-case keytab record, e.g. remote/localhost.localdomain.

[1] https://www.ietf.org/rfc/rfc4120.txt

Version-Release number of selected component (if applicable):
EAP 6.4.5

How reproducible:
on localhost.Localdomain run from AS TS
./integration-tests.sh -Dts.manualmode -Dtest=KerberosInCLITestCase

Steps to Reproduce:
On system which contains Upper case letter host name. E.g. locally edit /etc/hostname, /etc/hosts to localhost.Localdomain 
1) CLI
    11) Setup CLI secured with Kerberos to use lowercase host

            <security-realm name="KerberosSecurityRealm">
                <server-identities>
                    <kerberos>
                        <keytab principal="remote/localhost.localdomain@JBOSS.ORG" path="/path/to/krb.keytab"/>
                    </kerberos>
                </server-identities>
                <authentication>
                    <kerberos/>
                </authentication>
            </security-realm>

    12) start eap
    13) try to access cli 
2) EJB
    21) setup remoting subsystem secured with kerberos realm to use lowercase host

        <subsystem xmlns="urn:jboss:domain:remoting:3.0">
            <endpoint/>
            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="TestKerberosRealm"/>
        </subsystem>
        <security-realm name="TestKerberosRealm">
            <server-identities>
                <kerberos>
                <keytab principal="remote/localhost.localdomain@JBOSS.ORG" path="/path/to/krb.keytab" debug="true"/>
                </kerberos>
           </server-identities>
           <authentication>
               <kerberos/>
           </authentication>
       </security-realm>

    22) deploy app with ejb, start eap
    23) try to access deloyment


Actual results:

Both scenarios leads to log messages as 
^[[0m17:28:56,922 TRACE [org.jboss.as.domain.management.security] (default I/O-3) No mapping for name 'remote/localhost.Localdomain' to KeytabService, attempting to use host only match.
^[[0m17:28:56,922 TRACE [org.jboss.as.domain.management.security] (default I/O-3) No mapping for host 'localhost.Localdomain' to KeytabService, attempting to use default.
^[[0m17:28:56,922 TRACE [org.jboss.as.domain.management.security] (default I/O-3) No KeytabService available for host 'localhost.Localdomain' unable to return SubjectIdentity.


Expected results:
kerberos authentication working

Additional info:

Cloned from EAP7 issue https://issues.jboss.org/browse/JBEAP-1580

Note You need to log in before you can comment on or make changes to this bug.