Chris, Vadim,
I am new to this list, and not much of a Java programmer, but
work mostly with authentication: Kerberos, and PKI using
smart cards.
I noticed that the Sun Java Kerbeors would only use the
default ticket cache on a system which is usually in
FILE:/tmp/krb5cc_<uid> on Unix. But there are times on Unix
when a user can have multiple ticket caches, and sets the
KRB5CCNAME variable to point to the the file. The Sun Java
does not pick this up. So I was trying to use something
like -Duser.krb5ccname=$KRB5CCANME and in the gssapi.conf
add ticketCache="${user.krb5ccname}"
This appears to work, but if user.krb5ccname is not defined,
the code has problems. This may not be the best way to handle
this.
On Windows one would use the Windows runas command, and on MacOS,
the system can handle multiple identities.
Note I am trying to avoid having Java prompt for principal and
password, as in the long run there will be no kerberos passwords,
using a smart card instead with login or kinit.
Do you have any other ideas?
Chris Betts wrote:
> Sounds good folks!
>
> I'm just packaging and shipping an 'official 3.2' release - we can make
> this the first change for 3.3 :-).
>
> - Chris
>
> On 02/03/2007, at 9:32 AM, Douglas E. Engert wrote:
>
>>
>>
>> vadim wrote:
>>> I mean, I can provide a patch, where you can set QoP per connection and
>>> also can define default QoP. Will it be OK for you?
>>
>> Sounds good to me, and yes per connection. I would like to see the
>> default
>> be the auth-conf, as if the server can do SASL/GSSAPI/Kerberos there
>> is no
>> reason it can't do auth-conf.
>>
>> Thanks.
>>
>>
>>
>>>
>>> best regards, vadim tarassov
>>>
>>>
>>> On Thu, 2007-03-01 at 21:18 +0100, vadim wrote:
>>>> Hi Douglas,
>>>>
>>>> what do you think about adding a tab in "advanced" options containing
>>>> GSSAPI default QoP?
>>>> I was actually original author of the GSSAPI authentication in JXplorer
>>>> and I can provide this patch.
>>>>
>>>> best regards, vadim tarassov
>>>>
>>>> On Thu, 2007-03-01 at 13:59 -0600, Douglas E. Engert wrote:
>>>>> When using the GSSAPI with SASL, the default is to
>>>>> encrypt the auth exchange, but not any additional data.
>>>>>
>>>>> I would like to propose adding:
>>>>> env.put("javax.security.sasl.qop","auth-conf");
>>>>> to ConnectionData.java when GSSAPI is being used.
>>>>> See attached patch.
>>>>>
>>>>> This will the tell GSSAPI to encrypt the data.
>>>>>
>>>>> I have tried adding javax.security.sasl.qop=auth-conf
>>>>> to the jxconfig.txt file, and it does what I would
>>>>> expect but this is then the default for all SASL connections.
>>>>>
>>>>> Since you support both SASL with passwords, which can
>>>>> not encrypt and GSSAPI with the Kerberos which can
>>>>> encrypt, the default seams appropriate for use with
>>>>> passwords, but not for Kerberos.
>>>>>
>>>>> Both AD and OpenLDAP slapd servers can use the GSSAPI
>>>>> with auth-conf.
>>>>>
>>>>> If slapd requires encryption using something like:
>>>>>
>>>>> sasl_secprops noplain,noactive,noanonymous,minssf=56
>>>>>
>>>>> And Jxplorer does not use javx.security.sasl.qop=auth-conf
>>>>> The connection fails with:
>>>>>
>>>>> Error opening connection:
>>>>> [LDAP: error code 13 - confidentiality required]
>>>>>
>>>>>
>>>>> Some other solutions would be:
>>>>>
>>>>> * add QOP option on the connect dialog
>>>>>
>>>>> * Retry a failed connection with auth-conf, (Actually
>>>>> try auth-conf first, then fail back to auth would be better.)
>>>>>
>>>>> * Get the Sun Java to negotiate the QOP.
>>>>>
>>>>> (These tests where using java 1.5.0_07 to 10 on MacOS, Ubuntu, XP
>>>>> and Solaris 10))
>>>>>
>>>>> I can also submit this as a bug, if you would like.
>>>>>
>>>>> Thanks.
>>>>>
>>>>> plain text document attachment (jx.sasl.qop.txt)
>>>>> Index: src/com/ca/commons/jndi/ConnectionData.java
>>>>> ===================================================================
>>>>> RCS file:
>>>>> /cvsroot/jxplorer/javasrc/com/ca/commons/jndi/ConnectionData.java,v
>>>>> retrieving revision 1.13
>>>>> diff -u -r1.13 ConnectionData.java
>>>>> --- src/com/ca/commons/jndi/ConnectionData.java 11 Jul 2005
>>>>> 05:28:22 -0000 1.13
>>>>> +++ src/com/ca/commons/jndi/ConnectionData.java 1 Mar 2007
>>>>> 17:22:54 -0000
>>>>> @@ -499,6 +499,14 @@
>>>>> {
>>>>> env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
>>>>> //Maybe include something like
>>>>> JNDIOps.setupKerberosProperties here??
>>>>> + env.put("javax.security.sasl.qop","auth-conf");
>>>>> + // Above says use confidentiality, i.e. encrypted packets
>>>>> + // We do it here, so it only applies to the GSSAPI,
>>>>> + // i.e. Kerberos, that can always do encryption.
>>>>> + // If added to jxconfig.txt, it would apply to all
>>>>> + // SASL connections, and not sure if password+SSL would
>>>>> + // pass the QOP test.
>>>>> + // DEE
>>>>> }
>>>>>
>>>>> // Add any 'extra' properties to the list.
>>>>> @@ -554,4 +562,4 @@
>>>>>
>>>>> extraProperties.put(key, property);
>>>>> }
>>>>> -}
>>>>> \ No newline at end of file
>>>>> +}
>>>>> -------------------------------------------------------------------------
>>>>>
>>>>> Take Surveys. Earn Cash. Influence the Future of IT
>>>>> Join SourceForge.net's Techsay panel and you'll get the chance to
>>>>> share your
>>>>> opinions on IT & business topics through brief surveys-and earn cash
>>>>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>>>>>
>>>>> _______________________________________________ Jxplorer-devel
>>>>> mailing list Jxplorer-devel@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/jxplorer-devel
>>>>
>>>> -------------------------------------------------------------------------
>>>>
>>>> Take Surveys. Earn Cash. Influence the Future of IT
>>>> Join SourceForge.net's Techsay panel and you'll get the chance to
>>>> share your
>>>> opinions on IT & business topics through brief surveys-and earn cash
>>>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>>>>
>>>> _______________________________________________
>>>> Jxplorer-devel mailing list
>>>> Jxplorer-devel@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/jxplorer-devel
>>>
>>>
>>
>> --
>> Douglas E. Engert <[EMAIL PROTECTED]>
>> Argonne National Laboratory
>> 9700 South Cass Avenue
>> Argonne, Illinois 60439
>> (630) 252-5444
>>
>> -------------------------------------------------------------------------
>> Take Surveys. Earn Cash. Influence the Future of IT
>> Join SourceForge.net's Techsay panel and you'll get the chance to
>> share your
>> opinions on IT & business topics through brief surveys-and earn cash
>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>> _______________________________________________
>> Jxplorer-devel mailing list
>> Jxplorer-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/jxplorer-devel
>
>
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Jxplorer-devel mailing list
Jxplorer-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jxplorer-devel
