I did not verify any of this, but the instructions say JSCH supports kerberos. From what I could tell the jgss tutorials help -
https://www.mail-archive.com/[email protected]/msg01048.html http://www.docjar.com/docs/api/com/jcraft/jsch/jgss/GSSContextKrb5.html http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/index.html http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/single-signon.html Suresh On Feb 5, 2014, at 10:53 AM, Suresh Marru <[email protected]> wrote: > I am willing to bet that jcraft supports Kerberos out of the box without any > code changes but with only subtle configurations like what Amila referred > below. > > + 1 on the importance of Kerberos and making it a first class supported > protocol for credential store. > > Suresh > On Feb 5, 2014, at 10:44 AM, Marlon Pierce <[email protected]> wrote: > >> Thanks--this may be a useful variation on the "vanilla SSH" gateway use >> case. I'd guess a fair number of computing centers use Kerberos and >> kerberized SSH for access. This would allow us to combine the >> advantages (?) of SSH (no grid infrastructure needs to be installed) >> with GSI short term credentials (no managing of public keys). >> >> >> Marlon >> >> On 2/5/14 10:36 AM, Amila Jayasekara wrote: >>> JSCH provides user authentication mechanism gssapi-with-mic. We should be >>> able to use this interface to implement Kerberos based authentication. In >>> the JCraft library in airvata, we have modified default GSSAPI >>> implementation to incorporate MyProxy (X.509) authentication. We may need >>> to do some code level changes to get both working at the same code. >>> I am not sure out of the box JSCH supports Kerberos. Also I am not sure >>> what sort of changes we need to do to get Kerberos working with JSCH. It >>> could be only adding Kerbeors configuration files and JAAS configuration >>> files, or it could be some code changes we need to do in GSSAPI level. We >>> may need to further investigate this. >>> >>> In summary it should be possible to implement Kerberos authentication with >>> JSCH but not sure how much work. We need to investigate some time and >>> figure that out. >>> >>> Thanks >>> Amila >>> >>> >>> On Wed, Feb 5, 2014 at 10:20 AM, Raminder Singh >>> <[email protected]>wrote: >>> >>>> JSCH does not do this out of the box. Amila has to extend the Jcraft >>>> library to provide the support. As of my experience, /tools/gsissh should >>>> work with Kerberos authentication. I am not sure about addition to x509 >>>> certificate. X509 certificates are only used with myproxy server. >>>> >>>> Thanks >>>> Raminder >>>> >>>> On Feb 5, 2014, at 9:57 AM, Marlon Pierce <[email protected]> wrote: >>>> >>>>> Will Airavata's gsissh tool (/tools/gsissh) work with Kerberos tickets >>>>> in addition to short term x.509 grid credentials? Or would JSCH do this >>>>> out of the box? >>>>> >>>>> >>>>> Thanks-- >>>>> >>>>> >>>>> Marlon >>>>> >>>> >> >
