Hello,
on writing documentation in the wiki and reading RFC 4252 [1], I noticed that
there is no
implementation of host based authentication (section 9).
For an application using JSch, it often does not make sense to use host based
authentication, as the application has to know the host key for this to work,
and then it
can masquerade as any (local) user.
(An alternative would be to call some native setuid program like "ssh-keysign"
in OpenSSH
[2], which guards the key and only signs for the current user).
Still, there might be some use cases for the host based authentication, like
this:
- The application has some application user accounts,
independent of local system accounts.
- Some of these user accounts are allowed to login into
a remote SSH server with user accounts there.
- The application has its own private key which can be used
to certify to the server which user is currently logging in.
We could say this is a simplified version of using public keys for each user,
signed by a
certification authority acknowledged by the server. (I think PGP-signed
SSH-keys are not
supported by JSch either.)
To make it short, I implemented this authentication method for JSch last night.
Some of
the code is copied from UserAuthPublicKey, as it works quite similar (but
simpler since I
have only one keypair to worry about, and don't ask the server first if it
would be accepted).
(By the way, there was an error in the protocol descriptions in the comments of
UserAuthPublicKey, which is now corrected in my version.)
I spent some time debugging, mainly to find out how to configure my SSH server
to accept
this authentication method, but finally I got it working.
In my github repository, the file (as well as an accompanying file in the
examples
directory) is in the 'hostbased-auth'-branch of my jsch-documentation
repository. [3]
Some design notes:
- I reuse the Identity interface and JSch's identities list for the host key
pair instead
of reimplementing this again. If public key authentication is also enabled,
this has
the effect that the same key will be tried for public key authentication,
too, which
might not be desirable.
Duplicating the `addIdentity` methods of JSch as addHostIdentity could be an
alternative, but I didn't want to modify multiple classes here.
- Since there is no way to access the UserAuth object from the application side,
I'm passing the necessary information by config variables (which can be
Session
specific or application-global, as wished). These are:
hostbased.hostIdentity - the identity name to use (will be looked up in
the identities list of the JSch object, see
above).
hostbased.hostname - the client host name to assert to the server.
hostbased.localuser - the local user name.
The last two have useful defaults, but if the first one is missing there is
nothing
we can do (return false).
- I tried to do this as an independent extension, but it turns out we need to
be in
the com.jcraft.jsch package to access some package-local methods/variables in
Session (.jsch, .getSessionID), JSch (.getLogger(), .identities) and Buffer
(.buffer),
as well as the JSchPartialAuthException.
- I did not add any user feedback (for example to get a key passphrase), as I
assume
the user should not have the hosts passphrase. For now I'm using simply
`setPassphrase("")`, but I think it will be better to shift this
responsibility
to the application.
Is this a reasonable way to do this, or did I oversee something?
Any interest in adding this to the library, as well as my ProxySSH?
PaĆlo
[1] RFC 4252, The Secure Shell (SSH) Authentication Protocol
http://tools.ietf.org/html/rfc4252
[2] ssh-keysign manual page
http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keysign&sektion=8
[3]
https://github.com/ePaul/jsch-documentation/blob/hostbased-auth/src/com/jcraft/jsch/UserAuthHostBased.java
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
JSch-users mailing list
JSch-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jsch-users
