Hi Douglas, Please find full documentation about JAAS kerberos login module configuration here:
http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html You can extend that gssapi.conf file according to the documentation. Best regards, vadim tarassov On Fri, 2007-03-02 at 09:26 -0600, Douglas E. Engert wrote: > Chris, Vadim, > I am new to this list, and not much of a Java programmer, but > work mostly with authentication: Kerberos, and PKI using > smart cards. > > I noticed that the Sun Java Kerbeors would only use the > default ticket cache on a system which is usually in > FILE:/tmp/krb5cc_<uid> on Unix. But there are times on Unix > when a user can have multiple ticket caches, and sets the > KRB5CCNAME variable to point to the the file. The Sun Java > does not pick this up. So I was trying to use something > like -Duser.krb5ccname=$KRB5CCANME and in the gssapi.conf > add ticketCache="${user.krb5ccname}" > This appears to work, but if user.krb5ccname is not defined, > the code has problems. This may not be the best way to handle > this. > > On Windows one would use the Windows runas command, and on MacOS, > the system can handle multiple identities. > > Note I am trying to avoid having Java prompt for principal and > password, as in the long run there will be no kerberos passwords, > using a smart card instead with login or kinit. > > Do you have any other ideas? > > > Chris Betts wrote: > > Sounds good folks! > > > > I'm just packaging and shipping an 'official 3.2' release - we can make > > this the first change for 3.3 :-). > > > > - Chris > > > > On 02/03/2007, at 9:32 AM, Douglas E. Engert wrote: > > > >> > >> > >> vadim wrote: > >>> I mean, I can provide a patch, where you can set QoP per connection and > >>> also can define default QoP. Will it be OK for you? > >> > >> Sounds good to me, and yes per connection. I would like to see the > >> default > >> be the auth-conf, as if the server can do SASL/GSSAPI/Kerberos there > >> is no > >> reason it can't do auth-conf. > >> > >> Thanks. > >> > >> > >> > >>> > >>> best regards, vadim tarassov > >>> > >>> > >>> On Thu, 2007-03-01 at 21:18 +0100, vadim wrote: > >>>> Hi Douglas, > >>>> > >>>> what do you think about adding a tab in "advanced" options containing > >>>> GSSAPI default QoP? > >>>> I was actually original author of the GSSAPI authentication in JXplorer > >>>> and I can provide this patch. > >>>> > >>>> best regards, vadim tarassov > >>>> > >>>> On Thu, 2007-03-01 at 13:59 -0600, Douglas E. Engert wrote: > >>>>> When using the GSSAPI with SASL, the default is to > >>>>> encrypt the auth exchange, but not any additional data. > >>>>> > >>>>> I would like to propose adding: > >>>>> env.put("javax.security.sasl.qop","auth-conf"); > >>>>> to ConnectionData.java when GSSAPI is being used. > >>>>> See attached patch. > >>>>> > >>>>> This will the tell GSSAPI to encrypt the data. > >>>>> > >>>>> I have tried adding javax.security.sasl.qop=auth-conf > >>>>> to the jxconfig.txt file, and it does what I would > >>>>> expect but this is then the default for all SASL connections. > >>>>> > >>>>> Since you support both SASL with passwords, which can > >>>>> not encrypt and GSSAPI with the Kerberos which can > >>>>> encrypt, the default seams appropriate for use with > >>>>> passwords, but not for Kerberos. > >>>>> > >>>>> Both AD and OpenLDAP slapd servers can use the GSSAPI > >>>>> with auth-conf. > >>>>> > >>>>> If slapd requires encryption using something like: > >>>>> > >>>>> sasl_secprops noplain,noactive,noanonymous,minssf=56 > >>>>> > >>>>> And Jxplorer does not use javx.security.sasl.qop=auth-conf > >>>>> The connection fails with: > >>>>> > >>>>> Error opening connection: > >>>>> [LDAP: error code 13 - confidentiality required] > >>>>> > >>>>> > >>>>> Some other solutions would be: > >>>>> > >>>>> * add QOP option on the connect dialog > >>>>> > >>>>> * Retry a failed connection with auth-conf, (Actually > >>>>> try auth-conf first, then fail back to auth would be better.) > >>>>> > >>>>> * Get the Sun Java to negotiate the QOP. > >>>>> > >>>>> (These tests where using java 1.5.0_07 to 10 on MacOS, Ubuntu, XP > >>>>> and Solaris 10)) > >>>>> > >>>>> I can also submit this as a bug, if you would like. > >>>>> > >>>>> Thanks. > >>>>> > >>>>> plain text document attachment (jx.sasl.qop.txt) > >>>>> Index: src/com/ca/commons/jndi/ConnectionData.java > >>>>> =================================================================== > >>>>> RCS file: > >>>>> /cvsroot/jxplorer/javasrc/com/ca/commons/jndi/ConnectionData.java,v > >>>>> retrieving revision 1.13 > >>>>> diff -u -r1.13 ConnectionData.java > >>>>> --- src/com/ca/commons/jndi/ConnectionData.java 11 Jul 2005 > >>>>> 05:28:22 -0000 1.13 > >>>>> +++ src/com/ca/commons/jndi/ConnectionData.java 1 Mar 2007 > >>>>> 17:22:54 -0000 > >>>>> @@ -499,6 +499,14 @@ > >>>>> { > >>>>> env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI"); > >>>>> //Maybe include something like > >>>>> JNDIOps.setupKerberosProperties here?? > >>>>> + env.put("javax.security.sasl.qop","auth-conf"); > >>>>> + // Above says use confidentiality, i.e. encrypted packets > >>>>> + // We do it here, so it only applies to the GSSAPI, > >>>>> + // i.e. Kerberos, that can always do encryption. > >>>>> + // If added to jxconfig.txt, it would apply to all > >>>>> + // SASL connections, and not sure if password+SSL would > >>>>> + // pass the QOP test. > >>>>> + // DEE > >>>>> } > >>>>> > >>>>> // Add any 'extra' properties to the list. > >>>>> @@ -554,4 +562,4 @@ > >>>>> > >>>>> extraProperties.put(key, property); > >>>>> } > >>>>> -} > >>>>> \ No newline at end of file > >>>>> +} > >>>>> ------------------------------------------------------------------------- > >>>>> > >>>>> > >>>>> Take Surveys. Earn Cash. Influence the Future of IT > >>>>> Join SourceForge.net's Techsay panel and you'll get the chance to > >>>>> share your > >>>>> opinions on IT & business topics through brief surveys-and earn cash > >>>>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > >>>>> > >>>>> > >>>>> _______________________________________________ Jxplorer-devel > >>>>> mailing list Jxplorer-devel@lists.sourceforge.net > >>>>> https://lists.sourceforge.net/lists/listinfo/jxplorer-devel > >>>> > >>>> ------------------------------------------------------------------------- > >>>> > >>>> > >>>> Take Surveys. Earn Cash. Influence the Future of IT > >>>> Join SourceForge.net's Techsay panel and you'll get the chance to > >>>> share your > >>>> opinions on IT & business topics through brief surveys-and earn cash > >>>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > >>>> > >>>> > >>>> _______________________________________________ > >>>> Jxplorer-devel mailing list > >>>> Jxplorer-devel@lists.sourceforge.net > >>>> https://lists.sourceforge.net/lists/listinfo/jxplorer-devel > >>> > >>> > >> > >> -- > >> Douglas E. Engert <[EMAIL PROTECTED]> > >> Argonne National Laboratory > >> 9700 South Cass Avenue > >> Argonne, Illinois 60439 > >> (630) 252-5444 > >> > >> ------------------------------------------------------------------------- > >> Take Surveys. Earn Cash. Influence the Future of IT > >> Join SourceForge.net's Techsay panel and you'll get the chance to > >> share your > >> opinions on IT & business topics through brief surveys-and earn cash > >> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > >> _______________________________________________ > >> Jxplorer-devel mailing list > >> Jxplorer-devel@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/jxplorer-devel > > > > > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Jxplorer-devel mailing list Jxplorer-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jxplorer-devel
