Discussion:
[JSch-users] Kerberos Jsch Help
Sachith Withana
2014-02-20 16:43:14 UTC
Permalink
Hi all,

I need to get kerberos working through Java. ( SSH using the kerberos
ticket)
Currently it works with the terminal ( ssh host command) using the
gssapi-with-mic

But I'm having trouble getting it working with the JSCH library in Java.
Here's the code snippet I tried. ( pastebin: http://pastebin.com/sX8pUQSq)

Any suggestion is highly appreciated ..!!

JSch jsch = new JSch();
jsch.setLogger(new MyLogger());

System.setProperty("java.security.krb5.conf",
"/Users/swithana/git/KerberosConnector/src/main/resources/krb5.conf");
System.setProperty("java.security.auth.login.config",
"/Users/swithana/git/KerberosConnector/src/main/resources/mylogin.conf");
System.setProperty("javax.security.auth.useSubjectCredsOnly",
"true");


try {
jsch.addIdentity(privateKey,paraphrase);
jsch.setKnownHosts("/Users/swithana/.ssh/known_hosts");

Session session = jsch.getSession(user, host, 22);
Properties config = new java.util.Properties();
config.put("StrictHostKeyChecking", "no");
config.put("PreferredAuthentications",

"gssapi-with-mic,publickey,password,keyboard-interactive");

session.setConfig(config);
session.connect(20000);

Channel channel = session.openChannel("exec");
((ChannelExec) channel).setCommand( command);
channel.setInputStream(null);
((ChannelExec) channel).setErrStream(System.err);
--
Thanks,
Sachith Withana
Atsuhiko Yamanaka
2014-02-21 07:06:20 UTC
Permalink
Hi,

Mr. Borislav Stoichkov had kindly replied to the that message,
but it seems that the mailing-list system at sf.net has rejected it.
# I don't know the reason for it, unfortunately.
Anyway, please allow me to post it here on behalf of him,
Date: Fri, 21 Feb 2014 00:01:33 -0500
Subject: Re: [JSch-users] Kerberos Jsch Help
Hello Sachith
The login.conf configuration file contains the GSSAPI/Kerberos parameters for the authentication. I assume you want to use an existing ticket cache. If that is the case, the login.conf file might look something like this
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
debug="false"
doNotPrompt="true"
useTicketCache="true"
ticketCache="/path/to/krb5cc_username"
};
The configuration might be called com.sun.security.jgss.krb5.initiate based on the version of java you have but if I recall correctly you would get a clear error message about that. You can put it in debug mode too and that should help to determine what is happening.
Good luck!
Borislav
Sincerely,
--
Atsuhiko Yamanaka
JCraft,Inc.
1-14-20 HONCHO AOBA-KU,
SENDAI, MIYAGI 980-0014 Japan.
Tel +81-22-723-2150
Skype callto://jcraft/
Twitter: http://twitter.com/ymnk
Facebook: http://facebook.com/aymnk
Sachith Withana
2014-02-21 16:12:13 UTC
Permalink
Thank you all for the quick reply.
I still can't get this working.
Here's the login file:

com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
debug="true"
doNotPrompt="true"
useTicketCache="true"
ticketCache="/Users/swithana/krb5cc_swithana"
};

my full class : http://pastebin.com/b5jnAuYZ

thanks again for the help!
Post by Atsuhiko Yamanaka
Hi,
Mr. Borislav Stoichkov had kindly replied to the that message,
but it seems that the mailing-list system at sf.net has rejected it.
# I don't know the reason for it, unfortunately.
Anyway, please allow me to post it here on behalf of him,
Date: Fri, 21 Feb 2014 00:01:33 -0500
Subject: Re: [JSch-users] Kerberos Jsch Help
Hello Sachith
The login.conf configuration file contains the GSSAPI/Kerberos
parameters for the authentication. I assume you want to use an existing
ticket cache. If that is the case, the login.conf file might look something
like this
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
debug="false"
doNotPrompt="true"
useTicketCache="true"
ticketCache="/path/to/krb5cc_username"
};
The configuration might be called com.sun.security.jgss.krb5.initiate
based on the version of java you have but if I recall correctly you would
get a clear error message about that. You can put it in debug mode too and
that should help to determine what is happening.
Good luck!
Borislav
Sincerely,
--
Atsuhiko Yamanaka
JCraft,Inc.
1-14-20 HONCHO AOBA-KU,
SENDAI, MIYAGI 980-0014 Japan.
Tel +81-22-723-2150
Skype callto://jcraft/
Twitter: http://twitter.com/ymnk
Facebook: http://facebook.com/aymnk
--
Thanks,
Sachith Withana
Borislav Stoichkov
2014-02-21 23:45:15 UTC
Permalink
Hi Sachith

Difficult to say what's wrong with no output.

This should be helpful to you though. Here is a rough looking working (just
executed) example based on Shell.java along with the jaas login config file.

Shell2.java
============
import com.jcraft.jsch.*;

public class Shell2 {

public static void main(String[] args) {

try{
JSch jsch=new JSch();

String user="quixote";
String host="rocinante";

Session session=jsch.getSession(user, host, 22);

java.util.Hashtable config=new java.util.Hashtable();
config.put("StrictHostKeyChecking", "no");
config.put("PreferredAuthentications", "gssapi-with-mic");
session.setConfig(config) ;

session.connect(30000); // making a connection with timeout.

Channel channel=session.openChannel("shell");
channel.setInputStream(System.in);
channel.setOutputStream(System.out);
channel.connect(3*1000);
}
catch(Exception e) {
System.out.println(e);
}
}
}

logintc.conf
============
/**
* Login Configuration for JAAS.
*/
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
debug="true"
useTicketCache="true"
ticketCache="/tmp/krb5cc_25201_FnWyyW4447";
};

***@darkstar:-/jsch> kinit
Password for ***@LAMANCHA.COM:
***@darkstar:-/jsch> klist

Ticket cache: FILE:/tmp/krb5cc_25201_FnWyyW4447
Default principal: ***@LAMANCHA.COM

Valid starting Expires Service principal
02/21/14 11:43:47 02/21/14 23:43:47 krbtgt/***@LAMANCHA.COM
renew until 02/28/14 11:43:43


***@darkstar:-/jsch> ~/java/bin/java -version
java version "1.6.0_13"
Java (TM) SE Runtime Environment (build 1.6.0_13-b03)
Java HotSpot(TM) 64-Bit Server VM (build 11.3-b02, mixed mode)

***@darkstar:-/jsch> ~/java/bin/java -classpath jsch-0.1.49.jar:.
-Djava.security.krb5.conf=/etc/krb5.conf
-Djava.security.auth.login.config=logintc.conf
-Djavax.security.auth.useSubjectCredsOnly=false Shell2

Debug is true storeKey false useTicketCache true useKeyTab false
doNotPrompt false ticketCache is /tmp/krb5cc_25201_FnWyyW4447 iSlnitiator
true KeyTab is null refreshKrb5Config is false principal is null
tryFirstPass is false useFirstPass is false storePass is false clearPass is
false
Acquire TGT from Cache
Principal is ***@LAMANCHA.COM
Commit Succeeded

Last login: Fri Feb 21 11:41:38 2014 from darkstar
rocinante quixote/quixote> cat .k5login
***@LAMANCHA.COM
rocinante quixote/quixote> exit
exit
logout

Here is a working example for a login config file for use with a keytab if
you want to try that.

loginkeytab.conf
================
/**
* Login Configuration for JAAS.
*/
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab="true"
keyTab="/home/sancho/jsch/sancho.keytab"
storeKey="true"
principal="sancho";
};

Borislav
Post by Sachith Withana
Thank you all for the quick reply.
I still can't get this working.
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
debug="true"
doNotPrompt="true"
useTicketCache="true"
ticketCache="/Users/swithana/krb5cc_swithana"
};
my full class : http://pastebin.com/b5jnAuYZ
thanks again for the help!
Post by Atsuhiko Yamanaka
Hi,
Mr. Borislav Stoichkov had kindly replied to the that message,
but it seems that the mailing-list system at sf.net has rejected it.
# I don't know the reason for it, unfortunately.
Anyway, please allow me to post it here on behalf of him,
Date: Fri, 21 Feb 2014 00:01:33 -0500
Subject: Re: [JSch-users] Kerberos Jsch Help
Hello Sachith
The login.conf configuration file contains the GSSAPI/Kerberos
parameters for the authentication. I assume you want to use an existing
ticket cache. If that is the case, the login.conf file might look something
like this
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
debug="false"
doNotPrompt="true"
useTicketCache="true"
ticketCache="/path/to/krb5cc_username"
};
The configuration might be called com.sun.security.jgss.krb5.initiate
based on the version of java you have but if I recall correctly you would
get a clear error message about that. You can put it in debug mode too and
that should help to determine what is happening.
Good luck!
Borislav
Sincerely,
--
Atsuhiko Yamanaka
JCraft,Inc.
1-14-20 HONCHO AOBA-KU,
SENDAI, MIYAGI 980-0014 Japan.
Tel +81-22-723-2150
Skype callto://jcraft/
Twitter: http://twitter.com/ymnk
Facebook: http://facebook.com/aymnk
--
Thanks,
Sachith Withana
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
JSch-users mailing list
https://lists.sourceforge.net/lists/listinfo/jsch-users
Atsuhiko Yamanaka
2014-02-22 02:02:11 UTC
Permalink
Hi,

+-From: Sachith Withana <***@gmail.com> --
|_Date: Thu, 20 Feb 2014 11:43:14 -0500 ________
|
|I need to get kerberos working through Java. ( SSH using the kerberos
|ticket)
|Currently it works with the terminal ( ssh host command) using the
|gssapi-with-mic
|But I'm having trouble getting it working with the JSCH library in Java.
|Here's the code snippet I tried. ( pastebin: http://pastebin.com/sX8pUQSq)
|JSch jsch = new JSch();
| jsch.setLogger(new MyLogger());

There may be a hint in the outputs from MyLogger().
Whould you show it?


Sincerely,
--
Atsuhiko Yamanaka
JCraft,Inc.
1-14-20 HONCHO AOBA-KU,
SENDAI, MIYAGI 980-0014 Japan.
Tel +81-22-723-2150
Skype callto://jcraft/
Twitter: http://twitter.com/ymnk
Facebook: http://facebook.com/aymnk
Sachith Withana
2014-02-22 02:10:18 UTC
Permalink
Thanks a lot for the quick replies. I didn't get to check Borlslav's answer.
Here's the error output Atsuhiko, Other authentication methods passes. And
I can use the kerberos ticket to ssh to the host machine using the terminal.

INFO: SSH_MSG_NEWKEYS sent
INFO: SSH_MSG_NEWKEYS received
INFO: SSH_MSG_SERVICE_REQUEST sent
INFO: SSH_MSG_SERVICE_ACCEPT received
INFO: Authentications that can continue: gssapi-with-mic
INFO: Next authentication method: gssapi-with-mic
INFO: Disconnecting from ********* port 22
com.jcraft.jsch.JSchException: Auth fail
at com.jcraft.jsch.Session.connect(Session.java:512)
at
lk.sachith.kerberos.JSCHKerberosConnector.main(JSCHKerberosConnector.java:42)
at JSCHTest.testKerberos(JSCHTest.java:10)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:80)
at org.testng.internal.Invoker.invokeMethod(Invoker.java:673)
at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:842)
at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1166)
at
org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:125)
at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:109)
at org.testng.TestRunner.runWorkers(TestRunner.java:1178)
at org.testng.TestRunner.privateRun(TestRunner.java:757)
at org.testng.TestRunner.run(TestRunner.java:608)
at org.testng.SuiteRunner.runTest(SuiteRunner.java:334)
at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:329)
at org.testng.SuiteRunner.privateRun(SuiteRunner.java:291)
at org.testng.SuiteRunner.run(SuiteRunner.java:240)
at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:52)
at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:86)
at org.testng.TestNG.runSuitesSequentially(TestNG.java:1158)
at org.testng.TestNG.runSuitesLocally(TestNG.java:1083)
at org.testng.TestNG.run(TestNG.java:999)
at org.testng.remote.RemoteTestNG.run(RemoteTestNG.java:111)
at org.testng.remote.RemoteTestNG.initAndRun(RemoteTestNG.java:203)
at org.testng.remote.RemoteTestNG.main(RemoteTestNG.java:174)
at org.testng.RemoteTestNGStarter.main(RemoteTestNGStarter.java:125)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
RemoteTestNG finishing: 635 ms
Post by Atsuhiko Yamanaka
Hi,
|_Date: Thu, 20 Feb 2014 11:43:14 -0500 ________
|
|I need to get kerberos working through Java. ( SSH using the kerberos
|ticket)
|Currently it works with the terminal ( ssh host command) using the
|gssapi-with-mic
|But I'm having trouble getting it working with the JSCH library in Java.
http://pastebin.com/sX8pUQSq)
|JSch jsch = new JSch();
| jsch.setLogger(new MyLogger());
There may be a hint in the outputs from MyLogger().
Whould you show it?
Sincerely,
--
Atsuhiko Yamanaka
JCraft,Inc.
1-14-20 HONCHO AOBA-KU,
SENDAI, MIYAGI 980-0014 Japan.
Tel +81-22-723-2150
Skype callto://jcraft/
Twitter: http://twitter.com/ymnk
Facebook: http://facebook.com/aymnk
--
Thanks,
Sachith Withana
Borislav Stoichkov
2014-02-24 19:06:44 UTC
Permalink
Hi Sachith

Got a chance to run your code. You need to set useSubjectCredsOnly to false
to allow the krb5 provider to obtain credentials from a source other than
the current Subject unless you want to do all auth work yourself. With that
set to false it works.

Borislav
Post by Sachith Withana
Thanks a lot for the quick replies. I didn't get to check Borlslav's answer.
Here's the error output Atsuhiko, Other authentication methods passes. And
I can use the kerberos ticket to ssh to the host machine using the terminal.
INFO: SSH_MSG_NEWKEYS sent
INFO: SSH_MSG_NEWKEYS received
INFO: SSH_MSG_SERVICE_REQUEST sent
INFO: SSH_MSG_SERVICE_ACCEPT received
INFO: Authentications that can continue: gssapi-with-mic
INFO: Next authentication method: gssapi-with-mic
INFO: Disconnecting from ********* port 22
com.jcraft.jsch.JSchException: Auth fail
at com.jcraft.jsch.Session.connect(Session.java:512)
at
lk.sachith.kerberos.JSCHKerberosConnector.main(JSCHKerberosConnector.java:42)
at JSCHTest.testKerberos(JSCHTest.java:10)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:80)
at org.testng.internal.Invoker.invokeMethod(Invoker.java:673)
at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:842)
at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1166)
at
org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:125)
at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:109)
at org.testng.TestRunner.runWorkers(TestRunner.java:1178)
at org.testng.TestRunner.privateRun(TestRunner.java:757)
at org.testng.TestRunner.run(TestRunner.java:608)
at org.testng.SuiteRunner.runTest(SuiteRunner.java:334)
at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:329)
at org.testng.SuiteRunner.privateRun(SuiteRunner.java:291)
at org.testng.SuiteRunner.run(SuiteRunner.java:240)
at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:52)
at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:86)
at org.testng.TestNG.runSuitesSequentially(TestNG.java:1158)
at org.testng.TestNG.runSuitesLocally(TestNG.java:1083)
at org.testng.TestNG.run(TestNG.java:999)
at org.testng.remote.RemoteTestNG.run(RemoteTestNG.java:111)
at org.testng.remote.RemoteTestNG.initAndRun(RemoteTestNG.java:203)
at org.testng.remote.RemoteTestNG.main(RemoteTestNG.java:174)
at org.testng.RemoteTestNGStarter.main(RemoteTestNGStarter.java:125)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
RemoteTestNG finishing: 635 ms
Post by Atsuhiko Yamanaka
Hi,
--
|_Date: Thu, 20 Feb 2014 11:43:14 -0500 ________
|
|I need to get kerberos working through Java. ( SSH using the kerberos
|ticket)
|Currently it works with the terminal ( ssh host command) using the
|gssapi-with-mic
|But I'm having trouble getting it working with the JSCH library in Java.
http://pastebin.com/sX8pUQSq)
|JSch jsch = new JSch();
| jsch.setLogger(new MyLogger());
There may be a hint in the outputs from MyLogger().
Whould you show it?
Sincerely,
--
Atsuhiko Yamanaka
JCraft,Inc.
1-14-20 HONCHO AOBA-KU,
SENDAI, MIYAGI 980-0014 Japan.
Tel +81-22-723-2150
Skype callto://jcraft/
Twitter: http://twitter.com/ymnk
Facebook: http://facebook.com/aymnk
--
Thanks,
Sachith Withana
Sachith Withana
2014-02-24 19:34:41 UTC
Permalink
Thanks a lot again! ..

Im glad it worked :) Can you please let me know the version of JDK you
used? Because I'm running into an issue,

Debug is true storeKey false useTicketCache true useKeyTab false
doNotPrompt true ticketCache is /tmp/krb5cc_501_fDBmk28829 isInitiator true
KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is
false useFirstPass is false storePass is false clearPass is false

Acquire TGT from Cache

Principal is null

null credentials from Ticket Cache

[Krb5LoginModule] authentication failed

Unable to obtain Princpal Name for authentication

Authentication attempt failedjavax.security.auth.login.LoginException:
Unable to obtain Princpal Name for authentication





On Mon, Feb 24, 2014 at 2:06 PM, Borislav Stoichkov <
Post by Borislav Stoichkov
Hi Sachith
Got a chance to run your code. You need to set useSubjectCredsOnly to
false to allow the krb5 provider to obtain credentials from a source other
than the current Subject unless you want to do all auth work yourself. With
that set to false it works.
Borislav
Post by Sachith Withana
Thanks a lot for the quick replies. I didn't get to check Borlslav's answer.
Here's the error output Atsuhiko, Other authentication methods passes.
And I can use the kerberos ticket to ssh to the host machine using the
terminal.
INFO: SSH_MSG_NEWKEYS sent
INFO: SSH_MSG_NEWKEYS received
INFO: SSH_MSG_SERVICE_REQUEST sent
INFO: SSH_MSG_SERVICE_ACCEPT received
INFO: Authentications that can continue: gssapi-with-mic
INFO: Next authentication method: gssapi-with-mic
INFO: Disconnecting from ********* port 22
com.jcraft.jsch.JSchException: Auth fail
at com.jcraft.jsch.Session.connect(Session.java:512)
at
lk.sachith.kerberos.JSCHKerberosConnector.main(JSCHKerberosConnector.java:42)
at JSCHTest.testKerberos(JSCHTest.java:10)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:80)
at org.testng.internal.Invoker.invokeMethod(Invoker.java:673)
at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:842)
at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1166)
at
org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:125)
at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:109)
at org.testng.TestRunner.runWorkers(TestRunner.java:1178)
at org.testng.TestRunner.privateRun(TestRunner.java:757)
at org.testng.TestRunner.run(TestRunner.java:608)
at org.testng.SuiteRunner.runTest(SuiteRunner.java:334)
at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:329)
at org.testng.SuiteRunner.privateRun(SuiteRunner.java:291)
at org.testng.SuiteRunner.run(SuiteRunner.java:240)
at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:52)
at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:86)
at org.testng.TestNG.runSuitesSequentially(TestNG.java:1158)
at org.testng.TestNG.runSuitesLocally(TestNG.java:1083)
at org.testng.TestNG.run(TestNG.java:999)
at org.testng.remote.RemoteTestNG.run(RemoteTestNG.java:111)
at org.testng.remote.RemoteTestNG.initAndRun(RemoteTestNG.java:203)
at org.testng.remote.RemoteTestNG.main(RemoteTestNG.java:174)
at org.testng.RemoteTestNGStarter.main(RemoteTestNGStarter.java:125)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
RemoteTestNG finishing: 635 ms
Post by Atsuhiko Yamanaka
Hi,
|_Date: Thu, 20 Feb 2014 11:43:14 -0500 ________
|
|I need to get kerberos working through Java. ( SSH using the kerberos
|ticket)
|Currently it works with the terminal ( ssh host command) using the
|gssapi-with-mic
|But I'm having trouble getting it working with the JSCH library in Java.
http://pastebin.com/sX8pUQSq)
|JSch jsch = new JSch();
| jsch.setLogger(new MyLogger());
There may be a hint in the outputs from MyLogger().
Whould you show it?
Sincerely,
--
Atsuhiko Yamanaka
JCraft,Inc.
1-14-20 HONCHO AOBA-KU,
SENDAI, MIYAGI 980-0014 Japan.
Tel +81-22-723-2150
Skype callto://jcraft/
Twitter: http://twitter.com/ymnk
Facebook: http://facebook.com/aymnk
--
Thanks,
Sachith Withana
--
Thanks,
Sachith Withana
Borislav Stoichkov
2014-02-24 21:42:06 UTC
Permalink
Works with 1.6u13 and 1.7u51. Do you have a valid ticket before execution?
If you want to obtain a ticket as part of the process and don't have a
valid TGT to begin with you will need to set doNotPrompt to false. It
doesn't look like you have valid ticket when you run.

Borislav
Post by Sachith Withana
Thanks a lot again! ..
Im glad it worked :) Can you please let me know the version of JDK you
used? Because I'm running into an issue,
Debug is true storeKey false useTicketCache true useKeyTab false
doNotPrompt true ticketCache is /tmp/krb5cc_501_fDBmk28829 isInitiator true
KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is
false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is null
null credentials from Ticket Cache
[Krb5LoginModule] authentication failed
Unable to obtain Princpal Name for authentication
Unable to obtain Princpal Name for authentication
On Mon, Feb 24, 2014 at 2:06 PM, Borislav Stoichkov <
Post by Borislav Stoichkov
Hi Sachith
Got a chance to run your code. You need to set useSubjectCredsOnly to
false to allow the krb5 provider to obtain credentials from a source other
than the current Subject unless you want to do all auth work yourself. With
that set to false it works.
Borislav
Post by Sachith Withana
Thanks a lot for the quick replies. I didn't get to check Borlslav's answer.
Here's the error output Atsuhiko, Other authentication methods passes.
And I can use the kerberos ticket to ssh to the host machine using the
terminal.
INFO: SSH_MSG_NEWKEYS sent
INFO: SSH_MSG_NEWKEYS received
INFO: SSH_MSG_SERVICE_REQUEST sent
INFO: SSH_MSG_SERVICE_ACCEPT received
INFO: Authentications that can continue: gssapi-with-mic
INFO: Next authentication method: gssapi-with-mic
INFO: Disconnecting from ********* port 22
com.jcraft.jsch.JSchException: Auth fail
at com.jcraft.jsch.Session.connect(Session.java:512)
at
lk.sachith.kerberos.JSCHKerberosConnector.main(JSCHKerberosConnector.java:42)
at JSCHTest.testKerberos(JSCHTest.java:10)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:80)
at org.testng.internal.Invoker.invokeMethod(Invoker.java:673)
at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:842)
at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1166)
at
org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:125)
at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:109)
at org.testng.TestRunner.runWorkers(TestRunner.java:1178)
at org.testng.TestRunner.privateRun(TestRunner.java:757)
at org.testng.TestRunner.run(TestRunner.java:608)
at org.testng.SuiteRunner.runTest(SuiteRunner.java:334)
at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:329)
at org.testng.SuiteRunner.privateRun(SuiteRunner.java:291)
at org.testng.SuiteRunner.run(SuiteRunner.java:240)
at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:52)
at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:86)
at org.testng.TestNG.runSuitesSequentially(TestNG.java:1158)
at org.testng.TestNG.runSuitesLocally(TestNG.java:1083)
at org.testng.TestNG.run(TestNG.java:999)
at org.testng.remote.RemoteTestNG.run(RemoteTestNG.java:111)
at org.testng.remote.RemoteTestNG.initAndRun(RemoteTestNG.java:203)
at org.testng.remote.RemoteTestNG.main(RemoteTestNG.java:174)
at org.testng.RemoteTestNGStarter.main(RemoteTestNGStarter.java:125)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
RemoteTestNG finishing: 635 ms
Post by Atsuhiko Yamanaka
Hi,
|_Date: Thu, 20 Feb 2014 11:43:14 -0500 ________
|
|I need to get kerberos working through Java. ( SSH using the kerberos
|ticket)
|Currently it works with the terminal ( ssh host command) using the
|gssapi-with-mic
|But I'm having trouble getting it working with the JSCH library in Java.
http://pastebin.com/sX8pUQSq)
|JSch jsch = new JSch();
| jsch.setLogger(new MyLogger());
There may be a hint in the outputs from MyLogger().
Whould you show it?
Sincerely,
--
Atsuhiko Yamanaka
JCraft,Inc.
1-14-20 HONCHO AOBA-KU,
SENDAI, MIYAGI 980-0014 Japan.
Tel +81-22-723-2150
Skype callto://jcraft/
Twitter: http://twitter.com/ymnk
Facebook: http://facebook.com/aymnk
--
Thanks,
Sachith Withana
--
Thanks,
Sachith Withana
Sachith Withana
2014-02-25 15:24:01 UTC
Permalink
Hi Borislav,

It works now. It might had something to do with the ticket I guess. I
changed nothing today and ran it. It gave the desired output.
Thanks a lot for your continuous help!!


On Mon, Feb 24, 2014 at 4:42 PM, Borislav Stoichkov <
Post by Borislav Stoichkov
Works with 1.6u13 and 1.7u51. Do you have a valid ticket before execution?
If you want to obtain a ticket as part of the process and don't have a
valid TGT to begin with you will need to set doNotPrompt to false. It
doesn't look like you have valid ticket when you run.
Borislav
Post by Sachith Withana
Thanks a lot again! ..
Im glad it worked :) Can you please let me know the version of JDK you
used? Because I'm running into an issue,
Debug is true storeKey false useTicketCache true useKeyTab false
doNotPrompt true ticketCache is /tmp/krb5cc_501_fDBmk28829 isInitiator true
KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is
false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is null
null credentials from Ticket Cache
[Krb5LoginModule] authentication failed
Unable to obtain Princpal Name for authentication
Unable to obtain Princpal Name for authentication
On Mon, Feb 24, 2014 at 2:06 PM, Borislav Stoichkov <
Post by Borislav Stoichkov
Hi Sachith
Got a chance to run your code. You need to set useSubjectCredsOnly to
false to allow the krb5 provider to obtain credentials from a source other
than the current Subject unless you want to do all auth work yourself. With
that set to false it works.
Borislav
Post by Sachith Withana
Thanks a lot for the quick replies. I didn't get to check Borlslav's answer.
Here's the error output Atsuhiko, Other authentication methods passes.
And I can use the kerberos ticket to ssh to the host machine using the
terminal.
INFO: SSH_MSG_NEWKEYS sent
INFO: SSH_MSG_NEWKEYS received
INFO: SSH_MSG_SERVICE_REQUEST sent
INFO: SSH_MSG_SERVICE_ACCEPT received
INFO: Authentications that can continue: gssapi-with-mic
INFO: Next authentication method: gssapi-with-mic
INFO: Disconnecting from ********* port 22
com.jcraft.jsch.JSchException: Auth fail
at com.jcraft.jsch.Session.connect(Session.java:512)
at
lk.sachith.kerberos.JSCHKerberosConnector.main(JSCHKerberosConnector.java:42)
at JSCHTest.testKerberos(JSCHTest.java:10)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:80)
at org.testng.internal.Invoker.invokeMethod(Invoker.java:673)
at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:842)
at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1166)
at
org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:125)
at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:109)
at org.testng.TestRunner.runWorkers(TestRunner.java:1178)
at org.testng.TestRunner.privateRun(TestRunner.java:757)
at org.testng.TestRunner.run(TestRunner.java:608)
at org.testng.SuiteRunner.runTest(SuiteRunner.java:334)
at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:329)
at org.testng.SuiteRunner.privateRun(SuiteRunner.java:291)
at org.testng.SuiteRunner.run(SuiteRunner.java:240)
at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:52)
at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:86)
at org.testng.TestNG.runSuitesSequentially(TestNG.java:1158)
at org.testng.TestNG.runSuitesLocally(TestNG.java:1083)
at org.testng.TestNG.run(TestNG.java:999)
at org.testng.remote.RemoteTestNG.run(RemoteTestNG.java:111)
at org.testng.remote.RemoteTestNG.initAndRun(RemoteTestNG.java:203)
at org.testng.remote.RemoteTestNG.main(RemoteTestNG.java:174)
at org.testng.RemoteTestNGStarter.main(RemoteTestNGStarter.java:125)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
RemoteTestNG finishing: 635 ms
Post by Atsuhiko Yamanaka
Hi,
|_Date: Thu, 20 Feb 2014 11:43:14 -0500 ________
|
|I need to get kerberos working through Java. ( SSH using the kerberos
|ticket)
|Currently it works with the terminal ( ssh host command) using the
|gssapi-with-mic
|But I'm having trouble getting it working with the JSCH library in Java.
http://pastebin.com/sX8pUQSq)
|JSch jsch = new JSch();
| jsch.setLogger(new MyLogger());
There may be a hint in the outputs from MyLogger().
Whould you show it?
Sincerely,
--
Atsuhiko Yamanaka
JCraft,Inc.
1-14-20 HONCHO AOBA-KU,
SENDAI, MIYAGI 980-0014 Japan.
Tel +81-22-723-2150
Skype callto://jcraft/
Twitter: http://twitter.com/ymnk
Facebook: http://facebook.com/aymnk
--
Thanks,
Sachith Withana
--
Thanks,
Sachith Withana
--
Thanks,
Sachith Withana
Sachith Withana
2014-03-18 17:51:17 UTC
Permalink
Hi,

I want to make a file browser interface which allows file
browsing/downloading/uploading capability through kerberos.
Right now I'm using the "exec" Channel and it only lets me execute one
command and it closes.

I know it supports the "shell" channel, but is there a way to give the
commands through the java client to the shell?
Post by Sachith Withana
Hi Borislav,
It works now. It might had something to do with the ticket I guess. I
changed nothing today and ran it. It gave the desired output.
Thanks a lot for your continuous help!!
On Mon, Feb 24, 2014 at 4:42 PM, Borislav Stoichkov <
Post by Borislav Stoichkov
Works with 1.6u13 and 1.7u51. Do you have a valid ticket before
execution? If you want to obtain a ticket as part of the process and don't
have a valid TGT to begin with you will need to set doNotPrompt to false.
It doesn't look like you have valid ticket when you run.
Borislav
Post by Sachith Withana
Thanks a lot again! ..
Im glad it worked :) Can you please let me know the version of JDK you
used? Because I'm running into an issue,
Debug is true storeKey false useTicketCache true useKeyTab false
doNotPrompt true ticketCache is /tmp/krb5cc_501_fDBmk28829 isInitiator true
KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is
false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is null
null credentials from Ticket Cache
[Krb5LoginModule] authentication failed
Unable to obtain Princpal Name for authentication
Unable to obtain Princpal Name for authentication
On Mon, Feb 24, 2014 at 2:06 PM, Borislav Stoichkov <
Post by Borislav Stoichkov
Hi Sachith
Got a chance to run your code. You need to set useSubjectCredsOnly to
false to allow the krb5 provider to obtain credentials from a source other
than the current Subject unless you want to do all auth work yourself. With
that set to false it works.
Borislav
Post by Sachith Withana
Thanks a lot for the quick replies. I didn't get to check Borlslav's answer.
Here's the error output Atsuhiko, Other authentication methods passes.
And I can use the kerberos ticket to ssh to the host machine using the
terminal.
INFO: SSH_MSG_NEWKEYS sent
INFO: SSH_MSG_NEWKEYS received
INFO: SSH_MSG_SERVICE_REQUEST sent
INFO: SSH_MSG_SERVICE_ACCEPT received
INFO: Authentications that can continue: gssapi-with-mic
INFO: Next authentication method: gssapi-with-mic
INFO: Disconnecting from ********* port 22
com.jcraft.jsch.JSchException: Auth fail
at com.jcraft.jsch.Session.connect(Session.java:512)
at
lk.sachith.kerberos.JSCHKerberosConnector.main(JSCHKerberosConnector.java:42)
at JSCHTest.testKerberos(JSCHTest.java:10)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:80)
at org.testng.internal.Invoker.invokeMethod(Invoker.java:673)
at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:842)
at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1166)
at
org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:125)
at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:109)
at org.testng.TestRunner.runWorkers(TestRunner.java:1178)
at org.testng.TestRunner.privateRun(TestRunner.java:757)
at org.testng.TestRunner.run(TestRunner.java:608)
at org.testng.SuiteRunner.runTest(SuiteRunner.java:334)
at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:329)
at org.testng.SuiteRunner.privateRun(SuiteRunner.java:291)
at org.testng.SuiteRunner.run(SuiteRunner.java:240)
at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:52)
at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:86)
at org.testng.TestNG.runSuitesSequentially(TestNG.java:1158)
at org.testng.TestNG.runSuitesLocally(TestNG.java:1083)
at org.testng.TestNG.run(TestNG.java:999)
at org.testng.remote.RemoteTestNG.run(RemoteTestNG.java:111)
at org.testng.remote.RemoteTestNG.initAndRun(RemoteTestNG.java:203)
at org.testng.remote.RemoteTestNG.main(RemoteTestNG.java:174)
at org.testng.RemoteTestNGStarter.main(RemoteTestNGStarter.java:125)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
RemoteTestNG finishing: 635 ms
Post by Atsuhiko Yamanaka
Hi,
|_Date: Thu, 20 Feb 2014 11:43:14 -0500 ________
|
|I need to get kerberos working through Java. ( SSH using the kerberos
|ticket)
|Currently it works with the terminal ( ssh host command) using the
|gssapi-with-mic
|But I'm having trouble getting it working with the JSCH library in Java.
http://pastebin.com/sX8pUQSq)
|JSch jsch = new JSch();
| jsch.setLogger(new MyLogger());
There may be a hint in the outputs from MyLogger().
Whould you show it?
Sincerely,
--
Atsuhiko Yamanaka
JCraft,Inc.
1-14-20 HONCHO AOBA-KU,
SENDAI, MIYAGI 980-0014 Japan.
Tel +81-22-723-2150
Skype callto://jcraft/
Twitter: http://twitter.com/ymnk
Facebook: http://facebook.com/aymnk
--
Thanks,
Sachith Withana
--
Thanks,
Sachith Withana
--
Thanks,
Sachith Withana
--
Thanks,
Sachith Withana
Loading...