I did some searching on the subject. As Suresh said, It seems JSCH does support Kerberos out of the box.
[1] http://epaul.github.io/jsch-documentation/javadoc/com/jcraft/jsch/GSSContext.html [2] https://www.mail-archive.com/[email protected]/msg01075.html On Wed, Feb 5, 2014 at 5:19 PM, Amila Jayasekara <[email protected]>wrote: > Yes, it seems. But better to verify. > +1 for Kerberos authentication support in GSISSH. > > Thanks > Amila > > > On Wed, Feb 5, 2014 at 5:07 PM, Suresh Marru <[email protected]> wrote: > >> I did not verify any of this, but the instructions say JSCH supports >> kerberos. From what I could tell the jgss tutorials help - >> >> >> https://www.mail-archive.com/[email protected]/msg01048.html >> http://www.docjar.com/docs/api/com/jcraft/jsch/jgss/GSSContextKrb5.html >> >> http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/index.html >> >> http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/single-signon.html >> >> Suresh >> >> >> On Feb 5, 2014, at 10:53 AM, Suresh Marru <[email protected]> wrote: >> >> > I am willing to bet that jcraft supports Kerberos out of the box >> without any code changes but with only subtle configurations like what >> Amila referred below. >> > >> > + 1 on the importance of Kerberos and making it a first class supported >> protocol for credential store. >> > >> > Suresh >> > On Feb 5, 2014, at 10:44 AM, Marlon Pierce <[email protected]> wrote: >> > >> >> Thanks--this may be a useful variation on the "vanilla SSH" gateway use >> >> case. I'd guess a fair number of computing centers use Kerberos and >> >> kerberized SSH for access. This would allow us to combine the >> >> advantages (?) of SSH (no grid infrastructure needs to be installed) >> >> with GSI short term credentials (no managing of public keys). >> >> >> >> >> >> Marlon >> >> >> >> On 2/5/14 10:36 AM, Amila Jayasekara wrote: >> >>> JSCH provides user authentication mechanism gssapi-with-mic. We >> should be >> >>> able to use this interface to implement Kerberos based >> authentication. In >> >>> the JCraft library in airvata, we have modified default GSSAPI >> >>> implementation to incorporate MyProxy (X.509) authentication. We may >> need >> >>> to do some code level changes to get both working at the same code. >> >>> I am not sure out of the box JSCH supports Kerberos. Also I am not >> sure >> >>> what sort of changes we need to do to get Kerberos working with JSCH. >> It >> >>> could be only adding Kerbeors configuration files and JAAS >> configuration >> >>> files, or it could be some code changes we need to do in GSSAPI >> level. We >> >>> may need to further investigate this. >> >>> >> >>> In summary it should be possible to implement Kerberos authentication >> with >> >>> JSCH but not sure how much work. We need to investigate some time and >> >>> figure that out. >> >>> >> >>> Thanks >> >>> Amila >> >>> >> >>> >> >>> On Wed, Feb 5, 2014 at 10:20 AM, Raminder Singh < >> [email protected]>wrote: >> >>> >> >>>> JSCH does not do this out of the box. Amila has to extend the Jcraft >> >>>> library to provide the support. As of my experience, /tools/gsissh >> should >> >>>> work with Kerberos authentication. I am not sure about addition to >> x509 >> >>>> certificate. X509 certificates are only used with myproxy server. >> >>>> >> >>>> Thanks >> >>>> Raminder >> >>>> >> >>>> On Feb 5, 2014, at 9:57 AM, Marlon Pierce <[email protected]> wrote: >> >>>> >> >>>>> Will Airavata's gsissh tool (/tools/gsissh) work with Kerberos >> tickets >> >>>>> in addition to short term x.509 grid credentials? Or would JSCH do >> this >> >>>>> out of the box? >> >>>>> >> >>>>> >> >>>>> Thanks-- >> >>>>> >> >>>>> >> >>>>> Marlon >> >>>>> >> >>>> >> >> >> > >> >> > -- Thanks, Sachith Withana
