On Wed, Oct 31, 2012 at 3:39 PM, Jay Walters <jaymwalters@verizon.net> wrote:
I have downloaded and built from source the 0.1.49 release of Jsch.

I am using the Exec.java client code and have modified it with the following

    // Want to make sure gssapi is the only choice for authentication.
      session.setConfig("PreferredAuthentications", "gssapi-with-mic");

I have a login.conf file defined and a krb5.conf file with the following commnad line VM args

-Djava.security.krb5.conf=h:\krb5.conf -Djava.security.auth.login.config=h:\login.conf -Djavax.security.auth.useSubjectCredsOnly=false

In the login.conf file I refer to a keytab file with credentials for my user in it.

I have a hand coded example which uses LoginContext and some other classes with which I can use the same config files and I can see my keytab file is correct and I can dump out the tickets so I know the config files are good for basic kerberos/gss from java.

With debug on I see Krb5LoginModule working to get the tickets and printing out messages that it is working.

I wind up with this exception

com.jcraft.jsch.JSchException: Auth fail
com.jcraft.jsch.JSchException: Auth fail
    at com.jcraft.jsch.Session.connect(Session.java:491)
    at com.jcraft.jsch.Session.connect(Session.java:162)
    at Jay.main(Jay.java:64)

I have not seen a working example of accessing kerberos from client anyplace, is there one?


Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
JSch-users mailing list

Hello Jay

It appears that everything you are doing is correct. I hadn't done this in a while but grabbed the 0.1.49 version of the jar file to confirm. I have posted before about Kerberos support missing from the jar file that is posted but this version looks good so I guess that is fixed. My login.conf file looks like this

com.sun.security.jgss.initiate {
   com.sun.security.auth.module.Krb5LoginModule required

One thing I have come across is that based on java version the configuration may need to be called com.sun.security.jgss.krb5.initiate but you would get an error indicating that. I did this with 1.6.0_13

I used an example based on Shell.java without the password prompting code and with preferred authentication set only to gssapi similar to what you have done. Here is the command line

java -classpath jsch-0.1.49.jar:. -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=login.conf -Djavax.security.auth.useSubjectCredsOnly=false Shell2

This is pretty much what you did. In debug mode I can clearly see the tickets being issued, etc. 

Can you confirm that you can successfully authenticate using gssapi with the regular ssh client and that there are no authorization files that would prevent the principal you are using from accessing the account. The log file for sshd should also say why the authentication did not succeed.