Re: [JSch-users] JSch and Kerberos authentication?
Status: Alpha
Brought to you by:
ymnk
Menu
▾
▴
Re: [JSch-users] JSch and Kerberos authentication?
|
From: Borislav S. <jsc...@me...> - 2011-01-22 05:03:00
|
Hi Martin
Sorry I missed the release of version 0.1.44. The class I am referring to is
GSSContextKrb5 in the jgss directory. It is present in the jar file
available for download versions 36-40,42 but missing in 41,43,44. The short
answer to your question is that if you download version 0.1.44 of the jar
file Kerberos authentication will not work. If you pull the source (zip) and
build it, Kerberos authentication will work.
Because the plugin (jar file) that comes with Eclipse is a compiled version
and not the one available from jcraft, Kerberos authentication will work in
Eclipse. I believe the current version included is 0.1.41 but the class is
in there and it works.
Here's what to do to set it up
You need:
=======
KFW (Kerberos for Windows) available from MIT
Eclipse
Eclipse Target Management Terminal (TMT)
Configuration:
=========
* It's best if you copy a Kerberos configuration file from a unix system.
Don't try to use one generated by Network Identity Manger (NetID) as it
creates one that java's JAAS does not read correctly. On windows you can
grab a krb5.conf file from a unix system and put it in c:\windows\krb5.ini
or you can use a separate one for Eclipse and put it someplace else. That's
probably cleaner and you just need to pass the
'-Djava.security.krb5.conf=E:\Eclipse\krb5.conf' (your path of course)
parameter in the 'eclipse.ini' file.
* KFW must be configured to use a file based credentials cache. This is
needed because java needs to access it and use it for authentication. In
NetID go to Options->Identity. Select the identity (principal@REALM). Select
the 'Kerberos 5' tab and change the 'Credential Cache' to 'FILE:C:\Documents
and Settings\username\krb5cc_username'. After you change the setting destroy
and obtain a new tgt. Right click on the identity and select Properties to
verify it is defined as 'FILE:.....'. Verify that the registry entry
HKCU\Software\MIT\kerberos5\ccname is set to the file.
* Make sure your credentials are valid in both the ktools that come with KFW
and java. In a command prompt window change to the KFW bin directory and run
the 'klist' command. Look for the 'FILE:...' setting. Change to java's bin
directory and run the 'klist' command there. You won't see the 'FILE:...'
part but make sure the path to the cache is the same.
* Create a JAAS login config file and put it in the Eclipse directory (maybe
along with the krb5.conf file...). It will most likely look something like
this
/* Login config for JAAS */
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
debug="false"
doNotPrompt="true"
useTicketCache="true"
ticketCache="c:\\Documents and
Settings\\username\\krb5cc_username"
;
};
Path to the file based credentials cache needs to match the one configured
in the previous steps. Take a look at the links I sent about the JAAS login
config file. You can use other settings like keytab files instead of
file-based credentials cache, etc.
* Edit the 'eclipse.ini' file and somewhere after the -vmargs line append
the following settings where the path to the login.conf file is the one you
used in the step above
-Djava.security.auth.config=E:\Eclipse\login.conf
-Djavax.security.auth.useSubjectCredsOnly=false
optionaly -Djava.security.krb5.conf=E:\Eclipse\krb5.conf per the first step
too.
* In Eclipse create connections to remote machines. If there is a password
prompt note that it is optional and when using Kerberos authentication the
password is not used.
Again hope this helps. Thanks.
Borislav
On Fri, Jan 21, 2011 at 12:15 PM, Oberhuber, Martin <
Mar...@wi...> wrote:
> Hello Borislav,
>
>
>
> I tried to verify your statements, but I couldn’t quite follow.
>
>
>
> I compared JSch-0.1.43 against JSch-0.1.44 (both the source and the binary
> distributions).
>
> And I couldn’t find any difference in the list of files being shipped,
> neither .class nor .java.
>
>
>
> So… should JSch-0.1.44 support Kerberos or not?
>
> And, should JSch-0.1.41 as it is shipped with Eclipse today support
> Kerberos or not?
>
> I’m particularly interested in Eclipse support, so it would be great if you
> could share your guidelines document here or attach it on
> https://bugs.eclipse.org/bugs/show_bug.cgi?id=265711 .
>
> What I do get from your E-Mail is that on Windows I need additional
> software (KFW) so having Eclipse / RSE / JSch only would not be sufficient
> to log into a remote host using Kerberos.
>
> Is this correct?
>
> Thanks,
> Martin
>
>
>
> *From:* bo...@me... [mailto:bo...@me...] *On Behalf Of *Borislav
> Stoichkov
> *Sent:* Friday, January 21, 2011 5:35 AM
> *To:* Oberhuber, Martin
> *Cc:* jsc...@li...
> *Subject:* Re: [JSch-users] JSch and Kerberos authentication?
>
>
>
> Hello Martin
>
>
>
> JSch has support for Kerberos authentication. The twist is that some
> versions of the jar file posted include the required classes and others
> don't. For example the latest version does not have the classes but the
> version before does. Anyway grabbing the source and running the build
> (default against the provided build.xml file) produces a jar file with krb5
> support. I meant to send another request for this functionality to be
> included in the posted jar file but never got around to it. Now that this
> has come up maybe it will make another case to include the krb5 classes.
>
>
>
> Here are a few links that should help you get started with JSch, JAAS and
> GSS-API
>
>
>
>
> http://download.oracle.com/javase/1,5.0/docs/guide/security/jgss/tutorials/index.html
>
>
> http://download.oracle.com/javase/1,5.0/docs/guide/security/jgss/tutorials/BasicClientServer.html
>
>
> http://download.oracle.com/javase/1,5.0/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html
>
>
>
> It all comes down to creating a valid JAAS login configuration file and
> using the java.security.krb5.conf and java.security.auth.login.config
> properties. I believe there is a small difference in the default JAAS
> configuration entry for the client in java 1.5 and 1.6. In 1.5 it is
> com.sun.security.jgss.initiate and in 1.6 it is
> com.sun.security.jgss.krb5.initiate
>
>
>
> JSch with Kerberos authentication integrates very well with Ant, web apps
> (weblogic and jboss) as well as Eclipse. I have a guidelines document about
> integrating Eclipse with Jsch but it is pretty much in the same spirit. It
> works together with KFW (Kerberos for windows, if using windows of course)
> with a file based credentials cache that java can access and passing the
> properties to eclipse in the ini file. If you need more details let me know.
>
>
>
> It is easy to modify any one of the examples provided with JSch to use
> Kerberos by removing the password altogether and passing the properties
> mentioned above. Of course the server side needs to support gssapi. A
> keytab file can be used as well so you don't have to maintain a credentials
> cache for the purpose of your testing.
>
>
>
> Hope this is helpful to you. Thanks.
>
>
>
> Borislav
>
>
>
> On Thu, Jan 20, 2011 at 12:54 PM, Oberhuber, Martin <
> Mar...@wi...> wrote:
>
> Hi all,
>
>
>
> There is some confusion to what respect JSch supports Kerberos
> authentication. WinSCP does seem to support it, but what about JSch?
> Respective Forum questions have remained unanswered:
>
> http://sourceforge.net/forum/forum.php?thread_id=3045396&forum_id=219651
>
> http://sourceforge.net/forum/forum.php?thread_id=3045376&forum_id=219650
>
>
>
> See also Eclipse bug
>
> https://bugs.eclipse.org/bugs/show_bug.cgi?id=265711
>
>
>
> Thanks,
> Martin
>
>
>
> ------------------------------------------------------------------------------
> Protect Your Site and Customers from Malware Attacks
> Learn about various malware tactics and how to avoid them. Understand
> malware threats, the impact they can have on your business, and how you
> can protect your company and customers by using code signing.
> http://p.sf.net/sfu/oracle-sfdevnl
> _______________________________________________
> JSch-users mailing list
> JSc...@li...
> https://lists.sourceforge.net/lists/listinfo/jsch-users
>
>
>
|
