堆栈内存溢出
  简体   繁体   English

Java和Kerberos

[英]Java and Kerberos

 原文  2010-09-28 12:02:44       java/ passwords/ kerberos

问题描述

I would like to compare a String to the password of the currently authenticated user (encrypted keys comparison). 我想将字符串与当前经过身份验证的用户的密码进行比较(加密密钥比较)。 It seems like retrieving password from the ticket cache but how can I do that? 好像是从票证缓存中检索密码,但是我该怎么办呢?

Thank you 谢谢

2 个解决方案

解决方案1
 1  2010-10-06 20:14:11

It is not possible to retrieve the password from information that are available on the client or anywhere in a kerberos system. 无法从客户端或kerberos系统中任何地方的可用信息中检索密码。 According to the kerberos article in wikipedia (which holds similar information to what I read at other sources) the user entered password is hashed with a one-way function into something that serves as the secret from this point on. 根据Wikipedia中kerberos文章 (该信息与我在其他来源处所获得的信息类似),用户输入的密码通过单向函数散列为从那时起用作秘密的东西。 The secret is available at the key distribution center (KDC) and the ticket granting ticket (TGT) is symmetrically encrypted with this secret. 该密钥在密钥分发中心(KDC)上可用,并且使用该密钥对票证授予票证(TGT)进行对称加密。 To receive and use the TGT, a client has to provide the secret to decrypt the package - which is done by asking for the password from the user. 为了接收和使用TGT,客户端必须提供用于解密程序包的秘密-这是通过向用户询问密码来完成的。 After doing so, the TGT is decrypted and is saved in the ticket cache. 这样做之后,TGT被解密并保存在票证缓存中。

The TGT itself has parts encrypted with a secret only the kdc knows, it does not hold the password of the user. TGT本身具有用kdc知道的秘密加密的部分,它不保存用户密码。 As, for example, this article from 2000 explains, the password is not stored in the ticket cache either - just parts from the TGT. 例如,如2000年的这篇文章所述,密码也不存储在票证缓存中-只是TGT的一部分。 From my understanding it is not possible, to check the user password using the ticket cache. 据我了解,不可能使用票证缓存检查用户密码。

You might want to write your own CallbackHandler to somehow reuse or provide the credentials programmatically, but from my understanding this might lead to security problems. 您可能想要编写自己的CallbackHandler以便以某种方式重用或以编程方式提供凭据,但是据我所知,这可能会导致安全问题。

You might want to think about solving your problem with a total different approach, but there is to little information to suggest any other solution. 您可能想考虑使用完全不同的方法来解决问题,但是几乎没有什么信息可以建议其他解决方案。

解决方案2
 0  2010-09-28 12:29:00

I don't know if that's intended to be possible. 我不知道这是否有可能。 That hash may be salted with a key known only to the server. 该散列可以用仅服务器已知的密钥来加盐。 What I'd try instead is to just authenticate using the user's id and the given String. 我将尝试使用用户的id和给定的String进行身份验证。 If the server accepts the authentication request, the password was valid. 如果服务器接受身份验证请求,则密码有效。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用Java的Kerberos - Kerberos with Java Java Kerberos中的智能卡 - Smart Cards in Java Kerberos 在 Java 中实现 Kerberos 身份验证 - Implement Kerberos authentication in java Kafka Java Producer和kerberos - Kafka Java Producer with kerberos Kerberos Java凭证缓存 - Kerberos Java Credentials Cache Java中的简单Kerberos客户端? - Simple Kerberos client in Java? Java 7中的Kerberos SSO - Kerberos SSO in java 7 带有 Kerberos 的 Java/Tomcat 应用程序 - Java/Tomcat app with Kerberos Java中的可发布Kerberos票证 - Postdatable Kerberos tickets in Java 由KERBEROS保护的Java应用 - Java app secured by KERBEROS
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM