Stopping the service principle from requesting a TGT
Is there a way to stop the service end of the JGSS negotiation from requesting a TGT for its service principle ?
In a Kerberos GSSAPI negotiation the accepting service only needs access to a keytable containing the exported service key to successfully authentication and identify the client principal. The service does not need any network access to the KDC.
The JGSS implementation during the acceptSecContext requests a TGT for the service principal, even though it makes no use of it and discards it. The service therefore requires network access to the KDC and incurs the overhead of a KDC access for each authentication.
This can simply be demonstrated using the sample code at:
<pre>
http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/tutorials/BasicClientServer.html
</pre>
If the com.sun.security.jgss.accept entry is bcsLogin.conf is modified to:
<pre>
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true doNotPrompt=true useKeyTab=true keyTab="service.keytab" principal="service";
};
</pre>
I would not expect the service to request a TGT, but it does, as the KDC log shows:
<pre>
Jun 27 16:06:35 kdc krb5kdc[1865](info): AS_REQ (3 etypes {16 3 1}) 192.168.111.1: ISSUE: authtime 1151420795, etypes {rep=16 tkt=16 ses=16}, service@REALM for krbtgt/REALM@REALM
Jun 27 16:06:35 kdc krb5kdc[1865](info): AS_REQ (3 etypes {16 3 1}) 192.168.111.1: ISSUE: authtime 1151420795, etypes {rep=16 tkt=16 ses=16}, service@REALM for krbtgt/REALM@REALM
</pre>
Any ideas ?
Thank
Phil
