Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for "gssapi-with-mic" authentication (Kerberos) #195

Merged
merged 4 commits into from
Jun 16, 2015

Conversation

bluekeyes
Copy link
Contributor

This is working with an internal (soon to be open-source) library we have, but there might still be problems with certain edge cases. Not sure what your testing policy is, but I can look into writing some tests if the MINA SSHD server supports "gssapi-with-mic" authentication as well.

@bluekeyes
Copy link
Contributor Author

Relevant RFC for reference: https://www.ietf.org/rfc/rfc4462.txt

@hierynomus
Copy link
Owner

Seems like gssapi-with-mic is supported by Apache Mina (https://issues.apache.org/jira/browse/SSHD-111). Would be nice to have some tests... Also would be good start to test all the other new key exchange mechanisms as well if they're supported by Mina.

@dkocher
Copy link
Contributor

dkocher commented May 19, 2015

I think this patch is quite awesome. Would love to see a sample how to use it with a login context.

@hierynomus
Copy link
Owner

Definitely agreed that the patch is very cool.

@bluekeyes
Copy link
Contributor Author

@dkocher Here's an example of how we set it up for Kerberos. Unfortunately, it requires setting several system properties and generating a file. I need to do some more research to see if it can be done entirely in code.

String username;
String kerberosRealm;
String kdcHostname;

/* 
 * See http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html
 * 
 * For Kerberos, the file contains:
 *
 * Krb5LoginContext {
 *   com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useTicketCache=true;
 * };
 *
 */
File jaasConfigFile;

// Required by Krb5LoginContext
System.setProperty("java.security.krb5.realm", kerberosRealm);
System.setProperty("java.security.krb5.kdc", kdcHostname);
System.setProperty("java.security.auth.login.config", jassConfigFile.toString());

LoginContext lc = null;
try {
    lc = new LoginContext("Krb5LoginContext");
    lc.login();
} catch (LoginException e) {
    throw new UserAuthException(e);
}

Oid krb5Oid;
try {
    // as defined by the Kerberos specification
    krb5Oid = new Oid("1.2.840.113554.1.2.2");
} catch (GSSException e) {
    throw new UserAuthException("Failed to create Kerberos OID", e);
}

SSHClient client = new SSHClient();
client.authGssApiWithMic(username, lc, krb5Oid);

bluekeyes added 3 commits May 19, 2015 10:49
The default implementation only supports Kerberos and encourages
subclassing, so there should be a way to provide subclasses.
Mock enough of the JGSS API to avoid needing a real Kerberos
environment. I'm not sure how accurate this is, but it should test that
the client is sending the correct packets in the corect order.
@bluekeyes
Copy link
Contributor Author

After a lot of mocking, I got a simple authentication test working. Any other comments?

Also, is there any timeline on when this could merge? I have a project I'm working to open source that depends on this feature being available in a public SSHJ release.

@hierynomus
Copy link
Owner

Looking at it now 👍

hierynomus added a commit that referenced this pull request Jun 16, 2015
Add support for "gssapi-with-mic" authentication (Kerberos)
@hierynomus hierynomus merged commit 1c5b462 into hierynomus:master Jun 16, 2015
@bluekeyes bluekeyes deleted the feature/gss-api branch June 16, 2015 16:14
@hierynomus hierynomus added this to the 0.13.0 milestone Jun 17, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants