我的HTTPClient Kerberos身份验证设置与此类似。我的登录.conf看起来像这样:
com.sun.security.jgss.login {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
useKeyTab=true
storeKey=true
keyTab=<principal>
principal=<keytab>;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
这个设置在jdk8u151上一直对我有用,但是Oracle最近发布了jdk8u161,它不再工作。调试如下所示:
比较调试日志,jdk8u161 停在以下行:
CCacheInputStream: readFlags((
而 JDK8U151 遵循这条线
找到默认 TGT 时不支持的密钥类型:18
我添加了
default_tkt_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
krb5.conf
,但这无济于事。
找到了我自己的答案:
- 从 login.conf 中删除所有
useTicketCache=true
- 将
rc4-hmac
添加到default_tkt_enctypes
、default_tgs_enctypes
和permitted_enctypes
login.conf 现在看起来像这样:
com.sun.security.jgss.login {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
和 krb5.conf:
[libdefaults]
...
default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
...