Java 使用Kerberos的Jsch连接
我有一个简单的Java应用程序,它使用Jsch在远程服务器上运行ssh命令。该实现适用于用户名和密码 现在,我已经设置了一个Kerberos服务器,并希望使用相同的方法进行身份验证。 通过客户端系统(Linux),我可以使用Kerberos身份验证通过ssh连接到远程系统并运行命令,而且工作正常。Java 使用Kerberos的Jsch连接,java,ssh,kerberos,jsch,keytab,Java,Ssh,Kerberos,Jsch,Keytab,我有一个简单的Java应用程序,它使用Jsch在远程服务器上运行ssh命令。该实现适用于用户名和密码 现在,我已经设置了一个Kerberos服务器,并希望使用相同的方法进行身份验证。 通过客户端系统(Linux),我可以使用Kerberos身份验证通过ssh连接到远程系统并运行命令,而且工作正常。 我尝试过的事情: 使用以下命令初始化kerberos用户:kinit-kt 运行ssh命令:ssh@uname-a 上面的命令可以完美地工作,而不要求我使用密码进行身份验证。 配置详细信息:
我尝试过的事情:
使用以下命令初始化kerberos用户:
kinit-kt运行ssh命令:
ssh@uname-a上面的命令可以完美地工作,而不要求我使用密码进行身份验证。
配置详细信息:
- KDC服务器:Linux 7.6
- Linux 7.6上的客户端和服务器
- Kerberos用户:kuser
- kuser也存在于客户端和服务器系统上,但没有主目录
- Jsch版本:0.1.50
- Java版本:Amazon Corretto 11.0.7
代码段:
JSch jsch = new JSch();
jsch.setLogger(new MyLogger());
System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
System.setProperty("java.security.auth.login.config", "/etc/krb5login.conf");
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("java.security.debug", "gssloginconfig,configfile,configparser,logincontext");
System.setProperty("java.security.krb5.realm", "MYREALM.COM");
System.setProperty("java.security.krb5.kdc", "myrealm.com");
String user = "kuser";
String host = "remote_host";
String port = "22";
try {
System.out.println("Starting session");
Session session = jsch.getSession(user ,host, Integer.parseInt(port));
Properties config = new java.util.Properties();
config.put("StrictHostKeyChecking", "no");
config.put("PreferredAuthentications", "gssapi-with-mic");
session.setConfig(config);
System.out.println("Connecting to session");
session.connect(20000);
System.out.println("Opening Channel");
Channel channel = session.openChannel("exec");
System.out.println("Connecting to channel");
// Creating BufferReader to read input from host
BufferedReader bufferReader = new BufferedReader(new InputStreamReader(channel.getInputStream()));
((ChannelExec) channel).setCommand("uname -a");
channel.connect();
System.out.println("Command executed");
StringBuilder stringBuilder = new StringBuilder();
for (String string = bufferReader.readLine(); string != null; string = bufferReader.readLine()) {
stringBuilder.append(string);
}
System.out.println(stringBuilder.toString());
channel.disconnect();
session.disconnect();
System.out.println("DONE");
} catch (Exception e) {
System.out.println("Exception:");
e.printStackTrace();
}
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="kuser"
useKeyTab=true
refreshKrb5Config=true
keyTab="/etc/kuser.keytab"
debug=true
storeKey=true;
};
krb5.conf如下所示:
运行上述独立java程序后,我得到以下异常:
谢谢您可以修改
/etc/krb5.confrenew_life=7d我试着让它工作起来,我希望这会对你有所帮助!你可以修改你的
/etc/krb5.confrenew_life=7d我试着让它工作起来,希望这能帮助您!有什么问题吗?Java程序无法连接到远程服务器并使用Jsch和Kerberos执行命令。我在文章末尾添加了一个例外。似乎它在keytab文件中找到的键在某些方面不受支持,但我无法找出相同的原因。尝试了多种方法来解决此问题,但无法使其正常工作。问题是什么?Java程序无法连接到远程服务器并使用Jsch和Kerberos执行命令。我在文章末尾添加了一个例外。似乎它在keytab文件中找到的键在某些方面不受支持,但我无法找出相同的原因。尝试了多种方法来解决此问题,但无法使其正常工作。
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="kuser"
useKeyTab=true
refreshKrb5Config=true
keyTab="/etc/kuser.keytab"
debug=true
storeKey=true;
};
[libdefaults]
default_realm = MYREALM.COM
default_ccache_name = KEYRING:persistent:%{uid}
default_tkt_enctypes = camellia128-cts-cmac camellia256-cts-cmac hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1-kd rc4-hmac
default_tgs_enctypes = camellia128-cts-cmac camellia256-cts-cmac hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1-kd rc4-hmac
permitted_enctypes = camellia128-cts-cmac camellia256-cts-cmac hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1-kd rc4-hmac
[realms]
MYREALM.COM = {
kdc = myrealm.com
admin_server = myrealm.com
default_domain = myrealm.com
}
Starting session
Connecting to session
INFO: Connecting to remote_host port 22
INFO: Connection established
INFO: Remote version string: SSH-2.0-OpenSSH_7.4
INFO: Local version string: SSH-2.0-JSCH-0.1.50
INFO: Authentications that can continue: gssapi-with-mic
INFO: Next authentication method: gssapi-with-mic
Java config name: /etc/krb5.conf
Loading krb5 profile at /etc/krb5.conf
Loaded from Java config
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /etc/kuser.keytab refreshKrb5Config is true principal is kuser tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Java config name: /etc/krb5.conf
Loading krb5 profile at /etc/krb5.conf
Loaded from Java config
KdcAccessibility: reset
KdcAccessibility: reset
KeyTabInputStream, readName(): MYREALM.com
KeyTabInputStream, readName(): kuser
KeyTab: load() entry length: 76; type: 18
KeyTabInputStream, readName(): MYREALM.com
KeyTabInputStream, readName(): kuser
KeyTab: load() entry length: 60; type: 17
KeyTabInputStream, readName(): MYREALM.com
KeyTabInputStream, readName(): kuser
KeyTab: load() entry length: 68; type: 16
KeyTabInputStream, readName(): MYREALM.com
KeyTabInputStream, readName(): kuser
KeyTab: load() entry length: 60; type: 23
KeyTabInputStream, readName(): MYREALM.com
KeyTabInputStream, readName(): kuser
KeyTab: load() entry length: 76; type: 26
KeyTabInputStream, readName(): MYREALM.com
KeyTabInputStream, readName(): kuser
KeyTab: load() entry length: 60; type: 25
KeyTabInputStream, readName(): MYREALM.com
KeyTabInputStream, readName(): kuser
KeyTab: load() entry length: 52; type: 8
KeyTabInputStream, readName(): MYREALM.com
KeyTabInputStream, readName(): kuser
KeyTab: load() entry length: 52; type: 3
Looking for keys for: kuser@MYREALM.com
Added key: 3version: 4
Found unsupported keytype (8) for kuser@MYREALM.com
Found unsupported keytype (25) for kuser@MYREALM.com
Found unsupported keytype (26) for kuser@MYREALM.com
Added key: 23version: 4
Added key: 16version: 4
Added key: 17version: 4
Added key: 18version: 4
Looking for keys for: kuser@MYREALM.com
Added key: 3version: 4
Found unsupported keytype (8) for kuser@MYREALM.com
Found unsupported keytype (25) for kuser@MYREALM.com
Found unsupported keytype (26) for kuser@MYREALM.com
Added key: 23version: 4
Added key: 16version: 4
Added key: 17version: 4
Added key: 18version: 4
default etypes for default_tkt_enctypes: 18 17 16 3 18 17 16 23.
KrbAsReq creating message
KrbKdcReq send: kdc=myrealm.com UDP:88, timeout=30000, number of retries =3, #bytes=199
KDCCommunication: kdc=myrealm.com UDP:88, timeout=30000,Attempt =1, #bytes=199
KrbKdcReq send: #bytes read=738
KdcAccessibility: remove myrealm.com
Looking for keys for: kuser@MYREALM.com
Added key: 3version: 4
Found unsupported keytype (8) for kuser@MYREALM.com
Found unsupported keytype (25) for kuser@MYREALM.com
Found unsupported keytype (26) for kuser@MYREALM.com
Added key: 23version: 4
Added key: 16version: 4
Added key: 17version: 4
Added key: 18version: 4
EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
[Krb5LoginModule] authentication failed
Message stream modified (41)
INFO: Disconnecting from remote_host 22
Exception:
com.jcraft.jsch.JSchException: Auth fail
at com.jcraft.jsch.Session.connect(Session.java:512)
at com.example.TestJsch.main(TestJsch.java:49)