On 2024-05-09 00:13, Wei-Jun Wang wrote:
Hi Michael,
I've filed https://bugs.openjdk.org/browse/JDK-8331975. I plan to introduce a
system property to control the string comparison mode.
In my earlier reply I mentioned fixing keytab entry lookup no matter how the
comparison is done. I did some evaluation and the code change will be quite
big. The lookup of a long term service key is now divided in 2 steps: first
find the keys for the service, and then pinpoint the key with the correct kvno
and the etype. Unfortunately the name info is lost after the 1st step. In order
to do a case-sensitive preferred 2nd step search, the name has to be retained.
Also, if a vendor goes case-insensitive, in theory there is a probability that
between the 2 entries in the keytab actually the one that has a different case
is the right one! Who knows.
Therefore I decide not to implement this part and only rely on the system
property. If a program wants to work with a case-sensitive KDC that really has
service names only differ in case, please just turn this system property on.
I'd just like to add one more thing the matter how MIT Kerberos behaves:
# klist -kte | grep \\$
2 01/31/19 11:03:22 DEBLNDW011X$@AD001.SIEMENS.NET (DEPRECATED:des-cbc-crc)
2 01/31/19 11:03:22 DEBLNDW011X$@AD001.SIEMENS.NET (DEPRECATED:des-cbc-md5)
2 01/31/19 11:03:22 DEBLNDW011X$@AD001.SIEMENS.NET (aes128-cts-hmac-sha1-96)
2 01/31/19 11:03:22 DEBLNDW011X$@AD001.SIEMENS.NET (aes256-cts-hmac-sha1-96)
2 01/31/19 11:03:22 DEBLNDW011X$@AD001.SIEMENS.NET (DEPRECATED:arcfour-hmac)
# kinit -k deblndw011x\$
kinit: Keytab contains no suitable keys for deblndw011x$@AD001.SIEMENS.NET
while getting initial credentials
# kinit -k DEBLNDW011X\$
# echo $?
0
So MIT Kerberos seems to behave according to the RFC.
Michael
