On Wed, Oct 31, 2012 at 3:39 PM, Jay Walters <[email protected]>wrote:
> I have downloaded and built from source the 0.1.49 release of Jsch.
>
> I am using the Exec.java client code and have modified it with the
> following
>
> // Want to make sure gssapi is the only choice for authentication.
> session.setConfig("PreferredAuthentications", "gssapi-with-mic");
>
> I have a login.conf file defined and a krb5.conf file with the following
> commnad line VM args
>
> -Djava.security.krb5.conf=h:\krb5.conf
> -Djava.security.auth.login.config=h:\login.conf
> -Djavax.security.auth.useSubjectCredsOnly=false
>
> In the login.conf file I refer to a keytab file with credentials for my
> user in it.
>
> I have a hand coded example which uses LoginContext and some other classes
> with which I can use the same config files and I can see my keytab file is
> correct and I can dump out the tickets so I know the config files are good
> for basic kerberos/gss from java.
>
> With debug on I see Krb5LoginModule working to get the tickets and
> printing out messages that it is working.
>
> I wind up with this exception
>
> com.jcraft.jsch.JSchException: Auth fail
> com.jcraft.jsch.JSchException: Auth fail
> at com.jcraft.jsch.Session.connect(Session.java:491)
> at com.jcraft.jsch.Session.connect(Session.java:162)
> at Jay.main(Jay.java:64)
>
> I have not seen a working example of accessing kerberos from client
> anyplace, is there one?
>
> Jay
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_sfd2d_oct
> _______________________________________________
> JSch-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/jsch-users
>
Hello Jay
It appears that everything you are doing is correct. I hadn't done this in
a while but grabbed the 0.1.49 version of the jar file to confirm. I have
posted before about Kerberos support missing from the jar file that is
posted but this version looks good so I guess that is fixed. My login.conf
file looks like this
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab="true"
keyTab="/path/to/keytabfile.keytab"
storeKey="true"
principal="principal"
};
One thing I have come across is that based on java version the
configuration may need to be called com.sun.security.jgss.krb5.initiate but
you would get an error indicating that. I did this with 1.6.0_13
I used an example based on Shell.java without the password prompting code
and with preferred authentication set only to gssapi similar to what you
have done. Here is the command line
java -classpath jsch-0.1.49.jar:. -Djava.security.krb5.conf=/etc/krb5.conf
-Djava.security.auth.login.config=login.conf
-Djavax.security.auth.useSubjectCredsOnly=false Shell2
This is pretty much what you did. In debug mode I can clearly see the
tickets being issued, etc.
Can you confirm that you can successfully authenticate using gssapi with
the regular ssh client and that there are no authorization files that would
prevent the principal you are using from accessing the account. The log
file for sshd should also say why the authentication did not succeed.
Thanks.
Borislav
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
JSch-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jsch-users
