将 Java 中获取的 TGT 用于 SSH/其他应用程序
目前,我可以使用 JAAS 并获取从运行 Active Directory 的 Windows 服务器发送的票证授予票证来对 java 应用程序中的用户进行身份验证。使用 java 中的 Krb5LoginModule 可以轻松完成此操作。
现在我想从我的 java 应用程序运行 ssh 命令并使用我的 TGT 来启用 ssh 不询问密码。我看过一些让 ssh 与 kerberos 一起使用的教程(OpenSSH & Kerberos),但他们使用 kinit 来获取 TGT,并且票证存储在 /tmp/krbcc_XXX 中。生成票证后,他们就可以自由 ssh 了。
我可以将 TGT 写入磁盘并将其存储在 /tmp/krbcc_XXX 中,或者可以在 PrivilegedAction 中运行 ssh 命令,但我不知道这两种方法是否有效。有没有一种可以接受的方法来做到这一点?
基本上,我想拨打这样的电话,并且不要求我输入密码:
// Create Command.
List<String> arguments = new ArrayList<String>();
arguments.addAll(Arrays.asList("ssh", "user@host", "xterm"));
// Run SSH command.
ProcessBuilder process = new ProcessBuilder(arguments).start();
Currently, I am able to authenticate users in a java application by using JAAS and grabbing the ticket-granting-ticket that is sent from a Windows server running Active Directory. This is easily done with the Krb5LoginModule in java.
Now I would like to run an ssh command from my java application and use my TGT to enable ssh not to ask for password. I have seen some tutorials (OpenSSH & Kerberos) for getting ssh to work with kerberos, but they use kinit to get their TGT and the ticket is stored in /tmp/krbcc_XXX. Then after the ticket is generated they can ssh freely.
I could write the TGT to disk and store it in /tmp/krbcc_XXX or I could run the ssh command in a PrivilegedAction, however I don't know if either will work. Is there an accepted way to do this?
Basically, I would like to call something like this and have it not ask me for a password:
// Create Command.
List<String> arguments = new ArrayList<String>();
arguments.addAll(Arrays.asList("ssh", "user@host", "xterm"));
// Run SSH command.
ProcessBuilder process = new ProcessBuilder(arguments).start();
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您必须首先明确谁将发起 SSH 请求。 Java或底层Linux/Unix系统。如果您选择后者,那么这不是跨平台的,也不是 Java 的方式。您应该使用支持 Keberos 的 Java SSH impl。一切都应该顺利。 JSch 是一个纯 Java 实现,支持
gss-api-with-mic。另一方面,您可以尝试从使用
LoginContext创建的Subject获取私有凭据,并将其写入默认的 CC 文件位置。完成后,尝试klist。如果它读取了 cc 文件,那么就完成了。如果这不起作用,您可以检查 Sun 的 CC阅读器代码并反转它。也许,sun.security.krb5.internal.ccache.FileCredentialsCache 及其更新和保存方法是有趣的。任务是让私有主体凭据与所需的类sun.security.krb5.internal.ccache.Credentials兼容。注意:此解决方案完全依赖于 Sun。我会选择第一种方法,或者您宁愿先运行
kinit。You have to clarify first who will initiate the SSH request. Java or the underlying Linux/Unix system. If you go with the latter, this is not cross-platform and not the Java way. You should use a Java SSH impl which supports Keberos. Everything should go smooth. JSch is a pure Java impl with
gss-api-with-micsupport.On the other hand, you could try to get the private credentials from the
Subjectcreated with theLoginContextand write it to the default CC file location.. After you have done that, tryklist. If it reads the cc file, you're done. If this does not work, you could examine Sun's CC reader code and reverse it. Probably, thesun.security.krb5.internal.ccache.FileCredentialsCacheis the interesting one along with its update and save methods. The task is to have the private subject credentials be compatible with the desired classsun.security.krb5.internal.ccache.Credentials.Note: This solution is completely Sun-dependent. I would go for the first approach or you rather run
kinitfirst.