JSch and kerberos authentication

Posted on October 17, 2009. Filed under: Uncategorized | Tags: , , , , , |

For an application I’m writing I’m using JSch (a java implementation of the ssh protocol). Now I tried to use this with authentication using a kerberos token (which has the advantage that I don’t have to supply a password every time I run the program for testing).

After spending some time googling and digging into the source code of JSch (a definitive advantage of open source libraries !), putting breakpoints in various places, especially those where it catches another type of exception and rethrows them as JSchException.

On this page I saw that one has to provide the location of login a configuration file by setting a property. This can be done on the command line by adding an option like:

-Djava.security.auth.login.config=/.../mylogin.conf

I got a little further. However, I got another exception:

javax.security.auth.login.LoginException: No LoginModules configured for

This looked to me like somebody is putting an empty string as configuration name somewhere (yes, the error message ends after the word ‘for’). I downloaded the sources of OpenJDK and digged further (even though I was not using OpenJDK as runtime library I was hoping that the differences were not too large). By looking at the source code, I had the impression that indeed at some point in call hierarchy (GSSUtil.login(..) ), an empty string literal is passed as name to the constructor of LoginContext (which I thought is used to look up the corresponding entry in the login configuration file). How am I supposed to put an empty string as login configuration name in the file ? (Simply leaving out the name did not work…)

By chance I found a related post in on Sun’s forums. It turns out that the following configuration entry in the login configuration file made JSch work with authentication by kerberos token:

com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=true;
};
Advertisements

Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: