# SINCE 1.5.0
git.sshKeysFolder= ${baseFolder}/ssh
-# Use Kerberos5 (GSS) authentication
+
+# Authentication methods offered by the SSH server.
+# Space separated list of authentication method names that the
+# server shall offer. The default is "publickey password".
#
-# SINCE 1.7.0
-git.sshWithKrb5 = false
+# Valid authentication method names are:
+# publickey - authenticate with SSH public key
+# password - authenticate with username, password
+# keyboard-interactive - currently synonym to 'password'
+# gssapi-with-mic - GSS API Kerberos 5 authentication
+#
+# This setting obsoletes the "git.sshWithKrb5" setting. To enable
+# Kerberos5 (GSS) authentication, add 'gssapi-with-mic' to the list.
+#
+# SINCE 1.9.0
+# RESTART REQUIRED
+# SPACE-DELIMITED
+git.sshAuthenticationMethods = publickey password
+
# The path to a Kerberos 5 keytab.
#
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.text.MessageFormat;
+import java.util.List;
import java.util.concurrent.atomic.AtomicBoolean;
import org.apache.sshd.common.io.IoServiceFactoryFactory;
private final Logger log = LoggerFactory.getLogger(SshDaemon.class);
+ private static final String AUTH_PUBLICKEY = "publickey";
+ private static final String AUTH_PASSWORD = "password";
+ private static final String AUTH_KBD_INTERACTIVE = "keyboard-interactive";
+ private static final String AUTH_GSSAPI = "gssapi-with-mic";
+
+
+
public static enum SshSessionBackend {
MINA, NIO2
}
FileKeyPairProvider hostKeyPairProvider = new FileKeyPairProvider();
hostKeyPairProvider.setFiles(new String [] { rsaKeyStore.getPath(), dsaKeyStore.getPath(), dsaKeyStore.getPath() });
- // Client public key authenticator
- SshKeyAuthenticator keyAuthenticator =
- new SshKeyAuthenticator(gitblit.getPublicKeyManager(), gitblit);
// Configure the preferred SSHD backend
String sshBackendStr = settings.getString(Keys.git.sshBackend,
sshd.setPort(addr.getPort());
sshd.setHost(addr.getHostName());
sshd.setKeyPairProvider(hostKeyPairProvider);
- sshd.setPublickeyAuthenticator(new CachingPublicKeyAuthenticator(keyAuthenticator));
- sshd.setPasswordAuthenticator(new UsernamePasswordAuthenticator(gitblit));
- if (settings.getBoolean(Keys.git.sshWithKrb5, false)) {
+
+ List<String> authMethods = settings.getStrings(Keys.git.sshAuthenticationMethods);
+ if (authMethods.isEmpty()) {
+ authMethods.add(AUTH_PUBLICKEY);
+ authMethods.add(AUTH_PASSWORD);
+ }
+ // Keep backward compatibility with old setting files that use the git.sshWithKrb5 setting.
+ if (settings.getBoolean("git.sshWithKrb5", false) && !authMethods.contains(AUTH_GSSAPI)) {
+ authMethods.add(AUTH_GSSAPI);
+ log.warn("git.sshWithKrb5 is obsolete!");
+ log.warn("Please add {} to {} in gitblit.properties!", AUTH_GSSAPI, Keys.git.sshAuthenticationMethods);
+ settings.overrideSetting(Keys.git.sshAuthenticationMethods,
+ settings.getString(Keys.git.sshAuthenticationMethods, AUTH_PUBLICKEY + " " + AUTH_PASSWORD) + " " + AUTH_GSSAPI);
+ }
+ if (authMethods.contains(AUTH_PUBLICKEY)) {
+ SshKeyAuthenticator keyAuthenticator = new SshKeyAuthenticator(gitblit.getPublicKeyManager(), gitblit);
+ sshd.setPublickeyAuthenticator(new CachingPublicKeyAuthenticator(keyAuthenticator));
+ log.info("SSH: adding public key authentication method.");
+ }
+ if (authMethods.contains(AUTH_PASSWORD) || authMethods.contains(AUTH_KBD_INTERACTIVE)) {
+ sshd.setPasswordAuthenticator(new UsernamePasswordAuthenticator(gitblit));
+ log.info("SSH: adding password authentication method.");
+ }
+ if (authMethods.contains(AUTH_GSSAPI)) {
sshd.setGSSAuthenticator(new SshKrbAuthenticator(settings, gitblit));
+ log.info("SSH: adding GSSAPI authentication method.");
}
+
sshd.setSessionFactory(new SshServerSessionFactory());
sshd.setFileSystemFactory(new DisabledFilesystemFactory());
sshd.setTcpipForwardingFilter(new NonForwardingFilter());
projects / gitblit.git / commitdiff