tags:

views:

59

answers:

3
Q: 

Java and Kerberos

Hello,

I would like to compare a String to the password of the currently authenticated user (encrypted keys comparison). It seems like retrieving password from the ticket cache but how can I do that?

Thank you

A: 

I don't know if that's intended to be possible. That hash may be salted with a key known only to the server. What I'd try instead is to just authenticate using the user's id and the given String. If the server accepts the authentication request, the password was valid.

Barend  2010-09-28 12:29:00
Thank you for your answer. I can't apply your solution because the user is already authenticated. In order to let him change his kerberos password, I have to check his identity buy asking him his old present password. Then I must compare the entry to the real password.
BigMac  2010-09-28 14:43:10
A: 

It is not possible to retrieve the password from information that are available on the client or anywhere in a kerberos system. According to the kerberos article in wikipedia (which holds similar information to what I read at other sources) the user entered password is hashed with a one-way function into something that serves as the secret from this point on. The secret is available at the key distribution center (KDC) and the ticket granting ticket (TGT) is symmetrically encrypted with this secret. To receive and use the TGT, a client has to provide the secret to decrypt the package - which is done by asking for the password from the user. After doing so, the TGT is decrypted and is saved in the ticket cache.

The TGT itself has parts encrypted with a secret only the kdc knows, it does not hold the password of the user. As, for example, this article from 2000 explains, the password is not stored in the ticket cache either - just parts from the TGT. From my understanding it is not possible, to check the user password using the ticket cache.

You might want to write your own CallbackHandler to somehow reuse or provide the credentials programmatically, but from my understanding this might lead to security problems.

You might want to think about solving your problem with a total different approach, but there is to little information to suggest any other solution.

MaoPU  2010-10-06 20:14:11
Thank you MaoPU for this great answer. Effectively, it seams to be impossible to retrieve the user password from Kerberos database. In order to avoid security leaks, I'll rather call a shell script that executes password check and change.
BigMac  2010-10-07 13:39:10
A: 

Thank you MaoPU for this great answer. Effectively, it seams to be impossible to retrieve the user password from Kerberos database. In order to avoid security leaks, I'll rather call a shell script that executes password check and change.

BigMac  2010-10-07 13:31:51

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java