{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 倾城 Initia 的问题《How to save Kerberos private credentials for use i》','https://www.manongdao.com/q-1072405.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am using JAAS to get Kerberos credentials. My config file look like this:
SignedOnUserLoginContext
{
com.sun.security.auth.module.Krb5LoginModule required debug=true useTicketCache=true doNotPrompt=true;
};
The code to get Kerberos credentials
try {
LoginContext lc = new LoginContext("SignedOnUserLoginContext");
lc.login();
Subject signedOnUserSubject = lc.getSubject();
Set<Object> privateCred = signedOnUserSubject.getPrivateCredentials();
for (Object privates : privateCred) {
if (privates instanceof KerberosTicket) {
KerberosTicket ticket = (KerberosTicket)privates;
return ticket.getEncoded();
}
}
}
When i transfer the ticket to other machines and using JAAS to login using Kerberos, it doesn't get authenticated. my config file at receiving:
KrbLogin{
com.sun.security.auth.module.Krb5LoginModule required
principal=principal@realm
useTicketCache="FILE:///where i store the ticket"
};
I am suspecting I cannot just get the ticket like that, but need to get the whole private credentials returned by getPrivateCredentials(). Also, using doNotPrompt=true and useTicketCache=true I am trying to get from Windows cache.
I read in some Java security book that private credentials can include other data such as private keys, encryption keys, password etc...
Hence, i would need to get the return value of getPrivateCredentials(). How can get what is returned by getPrivateCredentials() into an actual Kerberos credential file. I read in order to access these data, I would need to use PrivateCredentialPermission module. Is there example to show how to do this?
Credentials of Kerberos is not portable, technically, you cannot do kinit on machine A and then use that TGT (ticket granting ticket) or ST (service ticket) on machine B (except for delegation), because both TGT and ST contains encrypted IP address of client.
ST is encrypted by service server's key, which means only SS can verify/read content of the ticket.
TGT is encrypted by key of a TGS (ticket granting server).
By the way, maybe what you want is what called Kerberos keytab --- which contains principal's
user name&password.But, transferring keytab through network is dangerous and deprecated.