Openfire GSSAPI / Kerberos login no longer working with 3.10.0

Hello,

Debian Wheezy Openfire 3.10.0

our openfire installation can no longer authenticate clients with gssapi. We enabled debugging, but server side debug logs contain nothing even mentioning gssapi / kerberos / sasl authentication.

using wireshark we were able to get some information:

<stream:stream to=‘XXXX’ xmlns=‘jabber:client’ xmlns:stream=‘http://etherx.jabber.org/streams’ version=‘1.0’><?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream=“http://etherx.jabber.org/streams” xmlns=“jabber:client” from=“XXXX” id=“a7be6887” xml:lang=“en” version=“1.0”>stream:featuresGSSAPIPLAINzlib</stream:features>YoAMCARCiRgREz2rSxqA3Q5dD2ZbM73/xMnbjU72 UwqJjej5KQ/iAMvl4jxB3qHrxGCOwO9ZmALIRBc2HuaXjS3BwqP3c1AbMu8AqJBk=</strea m:stream>

all clients can login using their password. We did not change any configuration files for the upgrade and used the normal debian wheezy package.

Thanks.

Hello,

Windows Server 2008 R2, Openfire 3.10

Same here, after update from 3.9.3 no one can login by GSSAPI / Kerberos. Nothing related to login problems in serwer logs, on client logs there is:


We can login manually with login and password.

Thanks.

Work perfectly with 3.9.3 but in 3.10.0 -

update spark to 2.7.x and try again. If you’re already at 2.7.x, check the java version that you are using on both the server and client. if openfire is using java 8, this will break sso, and you’ll need to downgrade to java 7. If the client is running java 8, and if your using DES for your kerberos key, then you’ll need to add allow_weak_crypto=true in the clients krb5.ini

hope this helps

Thank you for answering.

I use Miranda NG http://www.miranda-ng.org/en/and it isn’t based on Java.

I asked about this issue on their forums. People said that Miranda NG GSSAPI work normal if openfire server (3.10.0) installed on windows, but I have linux-based infrastracture.

what version of java does openfire show on the openfire admin page?

Java Version:
1.7.0_80 Oracle Corporation – Java HotSpot™ 64-Bit Server VM

Server - Debian 7

ahh…try java 7u79! I bet you a beer that will fix it.

in 7u80, and j8, there was a change made that broke sso for openfire. There is a ticket open in regards to this.

SSO Breaks with Java 7u80 and Above

Strange. SSO work normally with 3.9.3 on java 7u80…

Will try.

GSSAPI not work with Oracle Java 7u79 if server 3.10

guess I owe you a beer! strange that it doesn’t work. In my test, I found that something change in 7_80 and above that broke sso, but I’m running everything on windows.

I’m also seeing this behaviour- I’m running 2xOpenfire servers with Hazelcast clustering on RHEL6 x64 and I’m using:

Java Version: 1.7.0_79 Oracle Corporation – OpenJDK 64-Bit Server VM

On the client side I’m getting a Kerberos ticket:

xmpp/foo.bar.com@

Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

xmpp/foo.bar.com@MY.KERBEROS.DOMAIN

Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

Looking at my Psi+ debug log I see the following:

Due to the Hazelcast setup it’s not easy to roll-back to 3.9.3.

Mark, try installing the java crypto extension unlimited strength policy files.

Thanks for the reply- I’m running OpenJDK, isn’t the JCE package only applicable to Sunacle JDK/JREs?

ah, yes. you are correct. openjdk doesn’t need the jce. Are you running your client on a linux as well?

Yes, I’ve tried Psi+ and Pidgin on Linux and Messages on Mac OS 10.10 with the same behaviour.

sounds like maybe a bug when openfire is running on linux. It might be worth trying the included jre instead of java7_79, but something tells me that prob wont work either!

Hello!

Where is the bug in this patch:

https://github.com/igniterealtime/Openfire/commit/3eadecb67daddbcaeb1dc76ec578ed 0f70e96ad8

Client can send empty response due to RFC 6120 6.4.2, but in second code block Openfire doesn’t verify received string length.

With this code SSO works at 3.10.2:

if (response.length() > 0) {

if (!BASE64_ENCODED.matcher(response).matches()) {

authenticationFailed(session, Failure.INCORRECT_ENCODING);

return Status.failed;

}

}

Patched Openfire.jar 3.10.2 for testing purposes:

Hi Kalchenko,

Thanks! Would you kindly consider submitting a pull request with this change or attaching a git diff of your suggested patch?

Sorry, i’m just a system administrator and don’t working with modern code tools properly