Reputation: 21
Jaas - Requesting Renewable Kerberos Tickets
I have a Java API that talks to the Kerberos server and performs various operations. As of now, my API requests for non-renewable tickets to the Kerberos server. From what I understand, the jaas config file has an option to set the renewTGT option to true so that a renewable ticket can be issued. However, Jaas seems to have a lot of restrictions on setting the "renewUntil" time. Can anyone please tell me how we can request for arenewable ticket and also control its renewability? Basically, is there a way we can perform a Java equivalent of the operation : kinit -R ? Thanks in advance.
Upvotes: 2
Views: 2354
Answers (1)
Reputation: 7618
As of JDK7 (1.7.0_55), JAAS Krb5LoginModule does not provide any option to request a renewable TGT when authenticating, so this is not currently possible using JAAS. You might be able to achieve this, but you would need to use the internal Kerberos classes directly, bypassing JAAS.
Internally, Krb5LoginModule instantiates a sun.security.krb5.KrbAsReqBuilder to obtain credentials using either a provided password, or a keyTab. KrbAsReqBuilder has a setOptions(KDCOptions options) method, but this is not called in the login module. If it could be accessed, you could call KDCOptions#set(KDCOptions.RENEWABLE, true), and I would then expect the returned ticket to be renewable, if the KDC is configured to allow renewable tickets.
Upvotes: 4
Related Questions
- Auto renew the Kerberos ticket
- How to renew expiring Kerberos ticket in HBase?
- How do you set the Kerberos ticket lifetime from Java?
- How to obtain renewable kerberos tickets using java GSS+JAAS
- Java Kerberos ticket renew TGT
- Change the default maximum ticket life of a kerberos principal
- Lifetime of Kerberos tickets
- Can the forwarded Kerberos ticket be renewed?
- how do i renew a kerberos service ticket using GSS API
- Kerberos Cached Ticket