Apache MINA sshd client: add gssapi-with-mic authentication

sshd does support gssapi-with-mic on the server side, but has no built-in client-side support for this authentication mechanism. Add our own implementation for it, following RFC 4462.[1] To avoid needlessly re-trying mechanisms that aren't even configured on the client, we disable mechanisms that fail on the very first attempt to use them. Since we have no real Kerberos5 test setup, this cannot be fully tested in CI. The disabling of the authentication mechanism and that it is skipped when not successful _is_ tested. [1] https://www.ietf.org/rfc/rfc4462.txt Bug: 520927 Change-Id: I5d0cdb14103588a57c52f927df541b589ab88d88 Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
author: Thomas Wolf <thomas.wolf@paranor.ch> 2018-10-02 22:39:40 +0200
committer: Matthias Sohn <matthias.sohn@sap.com> 2018-11-13 10:49:26 -0800
commit: 8001f4c1fe441ec2eb7416851e933e9dc347abd7 (patch)
tree: e89411b4631c4eb542d16e8d45d54eb72db546a2 /org.eclipse.jgit.junit
parent: 06387d4bfdddf96e0d590649cdc6b7f89a53e341 (diff)
download: jgit-8001f4c1fe441ec2eb7416851e933e9dc347abd7.tar.gz
jgit-8001f4c1fe441ec2eb7416851e933e9dc347abd7.zip
2 files changed, 60 insertions, 2 deletions
diff --git a/org.eclipse.jgit.junit/META-INF/MANIFEST.MF b/org.eclipse.jgit.junit/META-INF/MANIFEST.MF
index e44ee0301e..044576fcc8 100644
--- a/org.eclipse.jgit.junit/META-INF/MANIFEST.MF
+++ b/org.eclipse.jgit.junit/META-INF/MANIFEST.MF
@@ -8,17 +8,22 @@ Bundle-Localization: plugin
 Bundle-Vendor: %provider_name
 Bundle-ActivationPolicy: lazy
 Bundle-RequiredExecutionEnvironment: JavaSE-1.8
-Import-Package:  org.apache.sshd.common;version="[2.0.0,2.1.0)",
+Import-Package: org.apache.sshd.common;version="[2.0.0,2.1.0)",
  org.apache.sshd.common.config.keys;version="[2.0.0,2.1.0)",
  org.apache.sshd.common.file.virtualfs;version="[2.0.0,2.1.0)",
  org.apache.sshd.common.helpers;version="[2.0.0,2.1.0)",
+ org.apache.sshd.common.io;version="[2.0.0,2.1.0)",
  org.apache.sshd.common.kex;version="[2.0.0,2.1.0)",
  org.apache.sshd.common.keyprovider;version="[2.0.0,2.1.0)",
  org.apache.sshd.common.session;version="[2.0.0,2.1.0)",
+ org.apache.sshd.common.util.buffer;version="[2.0.0,2.1.0)",
  org.apache.sshd.common.util.logging;version="[2.0.0,2.1.0)",
  org.apache.sshd.common.util.security;version="[2.0.0,2.1.0)",
  org.apache.sshd.server;version="[2.0.0,2.1.0)",
+ org.apache.sshd.server.auth;version="[2.0.0,2.1.0)",
+ org.apache.sshd.server.auth.gss;version="[2.0.0,2.1.0)",
  org.apache.sshd.server.command;version="[2.0.0,2.1.0)",
+ org.apache.sshd.server.session;version="[2.0.0,2.1.0)",
  org.apache.sshd.server.shell;version="[2.0.0,2.1.0)",
  org.apache.sshd.server.subsystem.sftp;version="[2.0.0,2.1.0)",
  org.eclipse.jgit.annotations;version="[5.2.0,5.3.0)",
diff --git a/org.eclipse.jgit.junit/src/org/eclipse/jgit/junit/ssh/SshTestGitServer.java b/org.eclipse.jgit.junit/src/org/eclipse/jgit/junit/ssh/SshTestGitServer.java
index 8d3207c43e..3c1111d242 100644
--- a/org.eclipse.jgit.junit/src/org/eclipse/jgit/junit/ssh/SshTestGitServer.java
+++ b/org.eclipse.jgit.junit/src/org/eclipse/jgit/junit/ssh/SshTestGitServer.java
@@ -49,19 +49,30 @@ import java.security.GeneralSecurityException;
 import java.security.KeyPair;
 import java.security.PublicKey;
 import java.text.MessageFormat;
+import java.util.ArrayList;
 import java.util.Collections;
+import java.util.List;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 
+import org.apache.sshd.common.NamedFactory;
+import org.apache.sshd.common.SshConstants;
 import org.apache.sshd.common.config.keys.AuthorizedKeyEntry;
 import org.apache.sshd.common.config.keys.KeyUtils;
 import org.apache.sshd.common.config.keys.PublicKeyEntryResolver;
 import org.apache.sshd.common.file.virtualfs.VirtualFileSystemFactory;
 import org.apache.sshd.common.keyprovider.KeyPairProvider;
 import org.apache.sshd.common.session.Session;
+import org.apache.sshd.common.util.buffer.Buffer;
 import org.apache.sshd.common.util.security.SecurityUtils;
+import org.apache.sshd.server.ServerAuthenticationManager;
 import org.apache.sshd.server.SshServer;
+import org.apache.sshd.server.auth.UserAuth;
+import org.apache.sshd.server.auth.gss.GSSAuthenticator;
+import org.apache.sshd.server.auth.gss.UserAuthGSS;
+import org.apache.sshd.server.auth.gss.UserAuthGSSFactory;
 import org.apache.sshd.server.command.AbstractCommandSupport;
+import org.apache.sshd.server.session.ServerSession;
 import org.apache.sshd.server.shell.UnknownCommand;
 import org.apache.sshd.server.subsystem.sftp.SftpSubsystemFactory;
 import org.eclipse.jgit.annotations.NonNull;
@@ -142,6 +153,7 @@ public class SshTestGitServer {
 						.getParentFile().getAbsoluteFile().toPath();
 			}
 		});
+		server.setUserAuthFactories(getAuthFactories());
 		server.setSubsystemFactories(Collections
 				.singletonList((new SftpSubsystemFactory.Builder()).build()));
 		// No shell
@@ -149,8 +161,15 @@ public class SshTestGitServer {
 		// Disable some authentications
 		server.setPasswordAuthenticator(null);
 		server.setKeyboardInteractiveAuthenticator(null);
-		server.setGSSAuthenticator(null);
 		server.setHostBasedAuthenticator(null);
+		// Pretend we did gssapi-with-mic.
+		server.setGSSAuthenticator(new GSSAuthenticator() {
+			@Override
+			public boolean validateInitialUser(ServerSession session,
+					String user) {
+				return false;
+			}
+		});
 		// Accept only the test user/public key
 		server.setPublickeyAuthenticator((userName, publicKey, session) -> {
 			return SshTestGitServer.this.testUser.equals(userName) && KeyUtils
@@ -166,6 +185,40 @@ public class SshTestGitServer {
 		});
 	}
 
+	private static class FakeUserAuthGSS extends UserAuthGSS {
+		@Override
+		protected Boolean doAuth(Buffer buffer, boolean initial)
+				throws Exception {
+			// We always reply that we did do this, but then we fail at the
+			// first token message. That way we can test that the client-side
+			// sends the correct initial request and then is skipped correctly,
+			// even if it causes a GSSException if Kerberos isn't configured at
+			// all.
+			if (initial) {
+				ServerSession session = getServerSession();
+				Buffer b = session.createBuffer(
+						SshConstants.SSH_MSG_USERAUTH_INFO_REQUEST);
+				b.putBytes(KRB5_MECH.getDER());
+				session.writePacket(b);
+				return null;
+			}
+			return Boolean.FALSE;
+		}
+	}
+
+	private List<NamedFactory<UserAuth>> getAuthFactories() {
+		List<NamedFactory<UserAuth>> authentications = new ArrayList<>();
+		authentications.add(
+				ServerAuthenticationManager.DEFAULT_USER_AUTH_PUBLIC_KEY_FACTORY);
+		authentications.add(new UserAuthGSSFactory() {
+			@Override
+			public UserAuth create() {
+				return new FakeUserAuthGSS();
+			}
+		});
+		return authentications;
+	}
+
 	/**
 	 * Starts the test server, listening on a random port.
 	 *
author	Thomas Wolf <thomas.wolf@paranor.ch>	2018-10-02 22:39:40 +0200
committer	Matthias Sohn <matthias.sohn@sap.com>	2018-11-13 10:49:26 -0800
commit	8001f4c1fe441ec2eb7416851e933e9dc347abd7 (patch)
tree	e89411b4631c4eb542d16e8d45d54eb72db546a2 /org.eclipse.jgit.junit
parent	06387d4bfdddf96e0d590649cdc6b7f89a53e341 (diff)
download	jgit-8001f4c1fe441ec2eb7416851e933e9dc347abd7.tar.gz jgit-8001f4c1fe441ec2eb7416851e933e9dc347abd7.zip