How to save Kerberos private credentials for use in other machines

问题

I am using JAAS to get Kerberos credentials. My config file look like this:

SignedOnUserLoginContext
{
  com.sun.security.auth.module.Krb5LoginModule required debug=true useTicketCache=true doNotPrompt=true;
};

The code to get Kerberos credentials

try {           
        LoginContext lc = new LoginContext("SignedOnUserLoginContext");
        lc.login();
        Subject signedOnUserSubject = lc.getSubject();
        Set<Object> privateCred = signedOnUserSubject.getPrivateCredentials();

            for (Object privates : privateCred) {
                if (privates instanceof KerberosTicket) {
                    KerberosTicket ticket = (KerberosTicket)privates;
                    return ticket.getEncoded();
                }
            }

    }

When i transfer the ticket to other machines and using JAAS to login using Kerberos, it doesn't get authenticated. my config file at receiving:

 KrbLogin{
 com.sun.security.auth.module.Krb5LoginModule required
            principal=principal@realm
            useTicketCache="FILE:///where i store the ticket"
 };

I am suspecting I cannot just get the ticket like that, but need to get the whole private credentials returned by getPrivateCredentials(). Also, using doNotPrompt=true and useTicketCache=true I am trying to get from Windows cache.

I read in some Java security book that private credentials can include other data such as private keys, encryption keys, password etc...

Hence, i would need to get the return value of getPrivateCredentials(). How can get what is returned by getPrivateCredentials() into an actual Kerberos credential file. I read in order to access these data, I would need to use PrivateCredentialPermission module. Is there example to show how to do this?

回答1:

Credentials of Kerberos is not portable, technically, you cannot do kinit on machine A and then use that TGT (ticket granting ticket) or ST (service ticket) on machine B (except for delegation), because both TGT and ST contains encrypted IP address of client.

ST is encrypted by service server's key, which means only SS can verify/read content of the ticket.

TGT is encrypted by key of a TGS (ticket granting server).

By the way, maybe what you want is what called Kerberos keytab --- which contains principal's user name & password.

But, transferring keytab through network is dangerous and deprecated.

来源：https://stackoverflow.com/questions/24817322/how-to-save-kerberos-private-credentials-for-use-in-other-machines