jsch与kerberos的连接

llew8vvj  于 2021-07-06  发布在  Java
关注(0)|答案(0)|浏览(341)

我有一个简单的java应用程序,它使用jsch在远程服务器上运行ssh命令。该实现适用于用户名和密码。
现在,我已经设置了一个kerberos服务器,并希望使用同一个服务器进行身份验证。从客户机系统(linux)中,我可以ssh到远程,并使用kerberos身份验证运行命令,而且工作正常。
我尝试过的事情:
使用以下命令初始化kerberos用户: kinit -kt <keytab_file_path> <kUser> 运行ssh命令: ssh <kUser>@<remote_host> uname -a 上面的命令非常有效,不需要我使用密码进行身份验证。
配置详细信息:
kdc服务器:linux 7.6
客户机和服务器:linux 7.6
kerberos用户:kuser
kuser也存在于客户机和服务器系统上,但没有主目录
jsch版本:0.1.50
java版本:amazon corretto 11.0.7

openjdk version "11.0.7" 2020-04-14 LTS
OpenJDK Runtime Environment Corretto-11.0.7.10.1 (build 11.0.7+10-LTS)
OpenJDK 64-Bit Server VM Corretto-11.0.7.10.1 (build 11.0.7+10-LTS, mixed mode)

代码段:

JSch jsch = new JSch();
    jsch.setLogger(new MyLogger());

    System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
    System.setProperty("java.security.auth.login.config", "/etc/krb5login.conf");
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
    System.setProperty("sun.security.krb5.debug", "true");
    System.setProperty("java.security.debug", "gssloginconfig,configfile,configparser,logincontext");
    System.setProperty("java.security.krb5.realm", "MYREALM.COM");
    System.setProperty("java.security.krb5.kdc", "myrealm.com");

    String user = "kuser";
    String host = "remote_host";
    String port = "22";

    try {
        System.out.println("Starting session");
        Session session = jsch.getSession(user ,host, Integer.parseInt(port));
        Properties config = new java.util.Properties();
        config.put("StrictHostKeyChecking", "no");
        config.put("PreferredAuthentications", "gssapi-with-mic");
        session.setConfig(config);
        System.out.println("Connecting to session");
        session.connect(20000);
        System.out.println("Opening Channel");
        Channel channel = session.openChannel("exec");

        System.out.println("Connecting to channel");
        // Creating BufferReader to read input from host
        BufferedReader bufferReader = new BufferedReader(new InputStreamReader(channel.getInputStream()));

        ((ChannelExec) channel).setCommand("uname -a");
        channel.connect();

        System.out.println("Command executed");
        StringBuilder stringBuilder = new StringBuilder();
        for (String string = bufferReader.readLine(); string != null; string = bufferReader.readLine()) {
            stringBuilder.append(string);
        }

        System.out.println(stringBuilder.toString());

        channel.disconnect();
        session.disconnect();
        System.out.println("DONE");

    } catch (Exception e) {
        System.out.println("Exception:");
        e.printStackTrace();
    }

下面是我的jass conf文件:

com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  doNotPrompt=true
  principal="kuser"
  useKeyTab=true
  refreshKrb5Config=true
  keyTab="/etc/kuser.keytab"
  debug=true
  storeKey=true;
};

krb5.conf如下:

[libdefaults]
 default_realm = MYREALM.COM
 default_ccache_name = KEYRING:persistent:%{uid}
 default_tkt_enctypes = camellia128-cts-cmac camellia256-cts-cmac hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1-kd rc4-hmac
 default_tgs_enctypes = camellia128-cts-cmac camellia256-cts-cmac hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1-kd rc4-hmac
 permitted_enctypes   = camellia128-cts-cmac camellia256-cts-cmac hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1-kd rc4-hmac

[realms]
 MYREALM.COM = {
  kdc = myrealm.com
  admin_server = myrealm.com
  default_domain = myrealm.com
 }

运行上述独立java程序后,我得到以下异常:

Starting session
    Connecting to session
    INFO: Connecting to remote_host port 22
    INFO: Connection established
    INFO: Remote version string: SSH-2.0-OpenSSH_7.4
    INFO: Local version string: SSH-2.0-JSCH-0.1.50
    INFO: Authentications that can continue: gssapi-with-mic
    INFO: Next authentication method: gssapi-with-mic
    Java config name: /etc/krb5.conf
    Loading krb5 profile at /etc/krb5.conf
    Loaded from Java config
    Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /etc/kuser.keytab refreshKrb5Config is true principal is kuser tryFirstPass is false useFirstPass is false storePass is false clearPass is false
    Refreshing Kerberos configuration
    Java config name: /etc/krb5.conf
    Loading krb5 profile at /etc/krb5.conf
    Loaded from Java config
      KdcAccessibility: reset
      KdcAccessibility: reset
      KeyTabInputStream, readName(): MYREALM.com
      KeyTabInputStream, readName(): kuser
      KeyTab: load() entry length: 76; type: 18
      KeyTabInputStream, readName(): MYREALM.com
      KeyTabInputStream, readName(): kuser
      KeyTab: load() entry length: 60; type: 17
      KeyTabInputStream, readName(): MYREALM.com
      KeyTabInputStream, readName(): kuser
      KeyTab: load() entry length: 68; type: 16
      KeyTabInputStream, readName(): MYREALM.com
      KeyTabInputStream, readName(): kuser
      KeyTab: load() entry length: 60; type: 23
      KeyTabInputStream, readName(): MYREALM.com
      KeyTabInputStream, readName(): kuser
      KeyTab: load() entry length: 76; type: 26
      KeyTabInputStream, readName(): MYREALM.com
      KeyTabInputStream, readName(): kuser
      KeyTab: load() entry length: 60; type: 25
      KeyTabInputStream, readName(): MYREALM.com
      KeyTabInputStream, readName(): kuser
      KeyTab: load() entry length: 52; type: 8
      KeyTabInputStream, readName(): MYREALM.com
      KeyTabInputStream, readName(): kuser
      KeyTab: load() entry length: 52; type: 3
    Looking for keys for: kuser@MYREALM.com
    Added key: 3version: 4
    Found unsupported keytype (8) for kuser@MYREALM.com
    Found unsupported keytype (25) for kuser@MYREALM.com
    Found unsupported keytype (26) for kuser@MYREALM.com
    Added key: 23version: 4
    Added key: 16version: 4
    Added key: 17version: 4
    Added key: 18version: 4
    Looking for keys for: kuser@MYREALM.com
    Added key: 3version: 4
    Found unsupported keytype (8) for kuser@MYREALM.com
    Found unsupported keytype (25) for kuser@MYREALM.com
    Found unsupported keytype (26) for kuser@MYREALM.com
    Added key: 23version: 4
    Added key: 16version: 4
    Added key: 17version: 4
    Added key: 18version: 4
    default etypes for default_tkt_enctypes: 18 17 16 3 18 17 16 23.
      KrbAsReq creating message
      KrbKdcReq send: kdc=myrealm.com UDP:88, timeout=30000, number of retries =3, #bytes=199
      KDCCommunication: kdc=myrealm.com UDP:88, timeout=30000,Attempt =1, #bytes=199
      KrbKdcReq send: #bytes read=738
      KdcAccessibility: remove myrealm.com
    Looking for keys for: kuser@MYREALM.com
    Added key: 3version: 4
    Found unsupported keytype (8) for kuser@MYREALM.com
    Found unsupported keytype (25) for kuser@MYREALM.com
    Found unsupported keytype (26) for kuser@MYREALM.com
    Added key: 23version: 4
    Added key: 16version: 4
    Added key: 17version: 4
    Added key: 18version: 4
      EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
                    [Krb5LoginModule] authentication failed
    Message stream modified (41)
    INFO: Disconnecting from remote_host 22
    Exception:
    com.jcraft.jsch.JSchException: Auth fail
            at com.jcraft.jsch.Session.connect(Session.java:512)
            at com.example.TestJsch.main(TestJsch.java:49)

谢谢

暂无答案!

目前还没有任何答案,快来回答吧!

相关问题