Openfire GSSAPI / Kerberos login no longer working with 3.10.0

Johannes1 · May 7, 2015, 3:47pm

Hello,

Debian Wheezy Openfire 3.10.0

our openfire installation can no longer authenticate clients with gssapi. We enabled debugging, but server side debug logs contain nothing even mentioning gssapi / kerberos / sasl authentication.

using wireshark we were able to get some information:

<stream:stream to=‘XXXX’ xmlns=‘jabber:client’ xmlns:stream=‘http://etherx.jabber.org/streams’ version=‘1.0’><?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream=“http://etherx.jabber.org/streams” xmlns=“jabber:client” from=“XXXX” id=“a7be6887” xml:lang=“en” version=“1.0”>stream:featuresGSSAPIPLAINzlib</stream:features>YoAMCARCiRgREz2rSxqA3Q5dD2ZbM73/xMnbjU72 UwqJjej5KQ/iAMvl4jxB3qHrxGCOwO9ZmALIRBc2HuaXjS3BwqP3c1AbMu8AqJBk=</strea m:stream>

all clients can login using their password. We did not change any configuration files for the upgrade and used the normal debian wheezy package.

Thanks.

Outlander · May 12, 2015, 6:58am

Hello,

Windows Server 2008 R2, Openfire 3.10

Same here, after update from 3.9.3 no one can login by GSSAPI / Kerberos. Nothing related to login problems in serwer logs, on client logs there is:

We can login manually with login and password.

Thanks.

Danila · May 20, 2015, 11:42am

Work perfectly with 3.9.3 but in 3.10.0 -

speedy · May 22, 2015, 3:19pm

update spark to 2.7.x and try again. If you’re already at 2.7.x, check the java version that you are using on both the server and client. if openfire is using java 8, this will break sso, and you’ll need to downgrade to java 7. If the client is running java 8, and if your using DES for your kerberos key, then you’ll need to add allow_weak_crypto=true in the clients krb5.ini

hope this helps

Danila · May 22, 2015, 3:49pm

Thank you for answering.

I use Miranda NG http://www.miranda-ng.org/en/and it isn’t based on Java.

I asked about this issue on their forums. People said that Miranda NG GSSAPI work normal if openfire server (3.10.0) installed on windows, but I have linux-based infrastracture.

speedy · May 22, 2015, 10:15pm

what version of java does openfire show on the openfire admin page?

Danila · May 23, 2015, 6:49am

Java Version:
1.7.0_80 Oracle Corporation – Java HotSpot™ 64-Bit Server VM

Server - Debian 7

speedy · May 23, 2015, 2:34pm

ahh…try java 7u79! I bet you a beer that will fix it.

in 7u80, and j8, there was a change made that broke sso for openfire. There is a ticket open in regards to this.

SSO Breaks with Java 7u80 and Above

Danila · May 23, 2015, 2:46pm

Strange. SSO work normally with 3.9.3 on java 7u80…

Will try.

Danila · May 25, 2015, 7:58am

GSSAPI not work with Oracle Java 7u79 if server 3.10

speedy · May 26, 2015, 12:58pm

guess I owe you a beer! strange that it doesn’t work. In my test, I found that something change in 7_80 and above that broke sso, but I’m running everything on windows.

Mark_Cairney · May 28, 2015, 12:11pm

I’m also seeing this behaviour- I’m running 2xOpenfire servers with Hazelcast clustering on RHEL6 x64 and I’m using:

Java Version: 1.7.0_79 Oracle Corporation – OpenJDK 64-Bit Server VM

On the client side I’m getting a Kerberos ticket:

xmpp/foo.bar.com@

Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

xmpp/foo.bar.com@MY.KERBEROS.DOMAIN

Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

Looking at my Psi+ debug log I see the following:

Due to the Hazelcast setup it’s not easy to roll-back to 3.9.3.

speedy · June 2, 2015, 2:47pm

Mark, try installing the java crypto extension unlimited strength policy files.

Mark_Cairney · June 2, 2015, 3:33pm

Thanks for the reply- I’m running OpenJDK, isn’t the JCE package only applicable to Sunacle JDK/JREs?

speedy · June 2, 2015, 3:52pm

ah, yes. you are correct. openjdk doesn’t need the jce. Are you running your client on a linux as well?

Mark_Cairney · June 2, 2015, 4:50pm

Yes, I’ve tried Psi+ and Pidgin on Linux and Messages on Mac OS 10.10 with the same behaviour.

speedy · June 3, 2015, 1:53pm

sounds like maybe a bug when openfire is running on linux. It might be worth trying the included jre instead of java7_79, but something tells me that prob wont work either!

Kalchenko_Alexandr · July 1, 2015, 1:21pm

Hello!

Where is the bug in this patch:

https://github.com/igniterealtime/Openfire/commit/3eadecb67daddbcaeb1dc76ec578ed 0f70e96ad8

Client can send empty response due to RFC 6120 6.4.2, but in second code block Openfire doesn’t verify received string length.

With this code SSO works at 3.10.2:

if (response.length() > 0) {

if (!BASE64_ENCODED.matcher(response).matches()) {

authenticationFailed(session, Failure.INCORRECT_ENCODING);

return Status.failed;

}

Patched Openfire.jar 3.10.2 for testing purposes:

akrherz · July 1, 2015, 2:46pm

Hi Kalchenko,

Thanks! Would you kindly consider submitting a pull request with this change or attaching a git diff of your suggested patch?

Kalchenko_Alexandr · July 1, 2015, 2:55pm

Sorry, i’m just a system administrator and don’t working with modern code tools properly