From 51e70f4233400ccf90c4e05638df53f2d5784d3c Mon Sep 17 00:00:00 2001 From: Florian Zschocke Date: Tue, 6 Dec 2016 14:44:18 +0100 Subject: Set list of offered SSH authentication methods. Make the SSH authentication methods used by the server configurable, so that for example password authentication can be turned off. For this, a `git.sshAuthenticationMethods` setting is added which is a space separated list of authentication method names. Only the methods listed will be enabled in the server. This is modeled after the option of the same name from sshd_config, but it does not offer listing multiple required methods. It leaves the door open, though, for a later extension to support such a multi-factor authentication. Since this also includes Kerberos authentication with GSS API, this obsoletes the `git.sshWithKrb5` property. The latter is removed. Instead, to enable Kerberos5 authentication, add the method name `gssapi-with-mic` to the authentication methods list. --- .../java/com/gitblit/transport/ssh/SshDaemon.java | 40 ++++++++++++++++++---- 1 file changed, 34 insertions(+), 6 deletions(-) (limited to 'src/main/java/com/gitblit') diff --git a/src/main/java/com/gitblit/transport/ssh/SshDaemon.java b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java index 5a94c9a3..3189058b 100644 --- a/src/main/java/com/gitblit/transport/ssh/SshDaemon.java +++ b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java @@ -23,6 +23,7 @@ import java.net.InetSocketAddress; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.text.MessageFormat; +import java.util.List; import java.util.concurrent.atomic.AtomicBoolean; import org.apache.sshd.common.io.IoServiceFactoryFactory; @@ -55,6 +56,13 @@ public class SshDaemon { private final Logger log = LoggerFactory.getLogger(SshDaemon.class); + private static final String AUTH_PUBLICKEY = "publickey"; + private static final String AUTH_PASSWORD = "password"; + private static final String AUTH_KBD_INTERACTIVE = "keyboard-interactive"; + private static final String AUTH_GSSAPI = "gssapi-with-mic"; + + + public static enum SshSessionBackend { MINA, NIO2 } @@ -97,9 +105,6 @@ public class SshDaemon { FileKeyPairProvider hostKeyPairProvider = new FileKeyPairProvider(); hostKeyPairProvider.setFiles(new String [] { rsaKeyStore.getPath(), dsaKeyStore.getPath(), dsaKeyStore.getPath() }); - // Client public key authenticator - SshKeyAuthenticator keyAuthenticator = - new SshKeyAuthenticator(gitblit.getPublicKeyManager(), gitblit); // Configure the preferred SSHD backend String sshBackendStr = settings.getString(Keys.git.sshBackend, @@ -125,11 +130,34 @@ public class SshDaemon { sshd.setPort(addr.getPort()); sshd.setHost(addr.getHostName()); sshd.setKeyPairProvider(hostKeyPairProvider); - sshd.setPublickeyAuthenticator(new CachingPublicKeyAuthenticator(keyAuthenticator)); - sshd.setPasswordAuthenticator(new UsernamePasswordAuthenticator(gitblit)); - if (settings.getBoolean(Keys.git.sshWithKrb5, false)) { + + List authMethods = settings.getStrings(Keys.git.sshAuthenticationMethods); + if (authMethods.isEmpty()) { + authMethods.add(AUTH_PUBLICKEY); + authMethods.add(AUTH_PASSWORD); + } + // Keep backward compatibility with old setting files that use the git.sshWithKrb5 setting. + if (settings.getBoolean("git.sshWithKrb5", false) && !authMethods.contains(AUTH_GSSAPI)) { + authMethods.add(AUTH_GSSAPI); + log.warn("git.sshWithKrb5 is obsolete!"); + log.warn("Please add {} to {} in gitblit.properties!", AUTH_GSSAPI, Keys.git.sshAuthenticationMethods); + settings.overrideSetting(Keys.git.sshAuthenticationMethods, + settings.getString(Keys.git.sshAuthenticationMethods, AUTH_PUBLICKEY + " " + AUTH_PASSWORD) + " " + AUTH_GSSAPI); + } + if (authMethods.contains(AUTH_PUBLICKEY)) { + SshKeyAuthenticator keyAuthenticator = new SshKeyAuthenticator(gitblit.getPublicKeyManager(), gitblit); + sshd.setPublickeyAuthenticator(new CachingPublicKeyAuthenticator(keyAuthenticator)); + log.info("SSH: adding public key authentication method."); + } + if (authMethods.contains(AUTH_PASSWORD) || authMethods.contains(AUTH_KBD_INTERACTIVE)) { + sshd.setPasswordAuthenticator(new UsernamePasswordAuthenticator(gitblit)); + log.info("SSH: adding password authentication method."); + } + if (authMethods.contains(AUTH_GSSAPI)) { sshd.setGSSAuthenticator(new SshKrbAuthenticator(settings, gitblit)); + log.info("SSH: adding GSSAPI authentication method."); } + sshd.setSessionFactory(new SshServerSessionFactory()); sshd.setFileSystemFactory(new DisabledFilesystemFactory()); sshd.setTcpipForwardingFilter(new NonForwardingFilter()); -- cgit v1.2.3