[JSch-users] Getting kerberos working

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi
I'm experimenting with Jsch and got private key ssh connections to work without a hitch. I'm now trying to do Kerberos authentication and am getting authentication failures:

                My code:

           jsch = new JSch();

            jsch.setLogger( SIMPLE_LOGGER );

            if ( sshKeyPath != null )
            {
                jsch.addIdentity( sshKeyPath );
            }
            jsch.setKnownHosts( "/dev/null" );
            session= jsch.getSession( targetUser, targetNode, SSH_PORT );
            config = new java.util.Properties();
            config.put( "StrictHostKeyChecking", "no" );
            config.put("PreferredAuthentications",
                       "gssapi-with-mic,publickey" );
            session.setConfig( config );
            session.connect( SSH_CONNECT_TIMEOUT );
            channel = (ChannelExec)session.openChannel( "exec" );
            channel.setCommand( targetCommand );
            channel.setAgentForwarding( true );
            inStream = channel.getInputStream();
            channel.connect( SSH_CHANNEL_TIMEOUT );

With logging on I'm seeing:

junit] SSH_MSG_KEXINIT sent
    [junit] SSH_MSG_KEXINIT received
    [junit] kex: server->client aes128-ctr hmac-md5 none
    [junit] kex: client->server aes128-ctr hmac-md5 none
    [junit] SSH_MSG_KEXDH_INIT sent
    [junit] expecting SSH_MSG_KEXDH_REPLY
    [junit] ssh_rsa_verify: signature true
    [junit] Permanently added 'benleis.desktop' (RSA) to the list of known hosts.
    [junit] SSH_MSG_NEWKEYS sent
    [junit] SSH_MSG_NEWKEYS received
    [junit] SSH_MSG_SERVICE_REQUEST sent
    [junit] SSH_MSG_SERVICE_ACCEPT received
    [junit] Authentications that can continue: gssapi-with-mic,publickey
    [junit] Next authentication method: gssapi-with-mic
    [junit] Authentications that can continue: publickey
    [junit] Next authentication method: publickey
   [junit] Disconnecting from benleis.desktop port 22
    [junit] line: Failed to open the SSH channel to benleis.desktop: Auth fail com.jcraft.jsch.JSchException

Compared to a verbose cmd-line ssh login which succeeds:

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'benleis.desktop' is known and matches the RSA host key.
debug1: Found key in /home/benleis/.ssh/known_hosts:30
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Authentication succeeded (gssapi-with-mic).

I've not done much with Kerberos before. Does anyone have advice on diagnosing the failure or some option I need to configure to get this working?
Thanks
Ben

  __o       __o       __o       __o
 _`\<,_    _`\<,_    _`\<,_    _`\<,_
(*)/ (*)  (*)/ (*)  (*)/ (*)  (*)/ (*)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~