Browse Source
Adding Kerberos5/GSS authentication to ssh
Adding the possibility to define authentication method order for sshtags/v1.7.0
Fabrice Bacchella
9 years ago
5 changed files with 90 additions and 1 deletions
+ 22
- 0
src/main/distrib/data/defaults.properties
View File
| @@ -126,6 +126,28 @@ git.sshKeysManager = com.gitblit.transport.ssh.FileKeyManager | |||
| # SINCE 1.5.0 | |||
| git.sshKeysFolder= ${baseFolder}/ssh | |||
| # Use kerberos5 (GSS) authentication | |||
| # | |||
| # SINCE 1.7.0 | |||
| git.sshWithKrb5 = "false" | |||
| # The path to a kerberos 5 keytab. | |||
| # | |||
| # SINCE 1.7.0 | |||
| git.sshKrb5Keytab = "" | |||
| # The service principal name to be used for Kerberos5. The default is host/hostname. | |||
| # | |||
| # SINCE 1.7.0 | |||
| git.sshKrb5ServicePrincipalName = "" | |||
| # A comma-separated list of authentication method. They will be tried in | |||
| # the given order. Possible values are | |||
| # "gssapi-with-mic", "publickey", "keyboard-interactive" or "password" | |||
| # | |||
| # SINCE 1.7.0 | |||
| git.sshAuthenticatorsOrder = "password,keyboard-interactive,publickey" | |||
| # SSH backend NIO2|MINA. | |||
| # | |||
| # The Apache Mina project recommends using the NIO2 backend. | |||
+ 57
- 1
src/main/java/com/gitblit/transport/ssh/SshDaemon.java
View File
| @@ -23,15 +23,25 @@ import java.net.InetSocketAddress; | |||
| import java.security.KeyPair; | |||
| import java.security.KeyPairGenerator; | |||
| import java.text.MessageFormat; | |||
| import java.util.ArrayList; | |||
| import java.util.List; | |||
| import java.util.Locale; | |||
| import java.util.concurrent.atomic.AtomicBoolean; | |||
| import org.apache.sshd.SshServer; | |||
| import org.apache.sshd.common.NamedFactory; | |||
| import org.apache.sshd.common.io.IoServiceFactoryFactory; | |||
| import org.apache.sshd.common.io.mina.MinaServiceFactoryFactory; | |||
| import org.apache.sshd.common.io.nio2.Nio2ServiceFactoryFactory; | |||
| import org.apache.sshd.common.keyprovider.FileKeyPairProvider; | |||
| import org.apache.sshd.common.util.SecurityUtils; | |||
| import org.apache.sshd.server.auth.CachingPublicKeyAuthenticator; | |||
| import org.apache.sshd.server.UserAuth; | |||
| import org.apache.sshd.server.auth.UserAuthKeyboardInteractive; | |||
| import org.apache.sshd.server.auth.UserAuthPassword; | |||
| import org.apache.sshd.server.auth.UserAuthPublicKey; | |||
| import org.apache.sshd.server.auth.gss.GSSAuthenticator; | |||
| import org.apache.sshd.server.auth.gss.UserAuthGSS; | |||
| import org.bouncycastle.openssl.PEMWriter; | |||
| import org.eclipse.jgit.internal.JGitText; | |||
| import org.slf4j.Logger; | |||
| @@ -120,7 +130,49 @@ public class SshDaemon { | |||
| } else { | |||
| addr = new InetSocketAddress(bindInterface, port); | |||
| } | |||
| //Will do GSS ? | |||
| GSSAuthenticator gssAuthenticator = null; | |||
| if(settings.getBoolean(Keys.git.sshWithKrb5, false)) { | |||
| gssAuthenticator = new GSSAuthenticator(); | |||
| String keytabString = settings.getString(Keys.git.sshKrb5Keytab, | |||
| ""); | |||
| if(! keytabString.isEmpty()) { | |||
| gssAuthenticator.setKeytabFile(keytabString); | |||
| } | |||
| String servicePrincipalName = settings.getString(Keys.git.sshKrb5ServicePrincipalName, | |||
| ""); | |||
| if(! servicePrincipalName.isEmpty()) { | |||
| gssAuthenticator.setServicePrincipalName(servicePrincipalName); | |||
| } | |||
| } | |||
| //Sort the authenticators for sshd | |||
| List<NamedFactory<UserAuth>> userAuthFactories = new ArrayList<>(); | |||
| String sshAuthenticatorsOrderString = settings.getString(Keys.git.sshAuthenticatorsOrder, | |||
| "password,keyboard-interactive,publickey"); | |||
| for(String authenticator: sshAuthenticatorsOrderString.split(",")) { | |||
| String authenticatorName = authenticator.trim().toLowerCase(Locale.US); | |||
| switch (authenticatorName) { | |||
| case "gssapi-with-mic": | |||
| if(gssAuthenticator != null) { | |||
| userAuthFactories.add(new UserAuthGSS.Factory()); | |||
| } | |||
| break; | |||
| case "publickey": | |||
| userAuthFactories.add(new UserAuthPublicKey.Factory()); | |||
| break; | |||
| case "password": | |||
| userAuthFactories.add(new UserAuthPassword.Factory()); | |||
| break; | |||
| case "keyboard-interactive": | |||
| userAuthFactories.add(new UserAuthKeyboardInteractive.Factory()); | |||
| break; | |||
| default: | |||
| log.error("Unknown ssh authenticator: '{}'", authenticatorName); | |||
| } | |||
| } | |||
| // Create the SSH server | |||
| sshd = SshServer.setUpDefaultServer(); | |||
| sshd.setPort(addr.getPort()); | |||
| @@ -128,6 +180,10 @@ public class SshDaemon { | |||
| sshd.setKeyPairProvider(hostKeyPairProvider); | |||
| sshd.setPublickeyAuthenticator(new CachingPublicKeyAuthenticator(keyAuthenticator)); | |||
| sshd.setPasswordAuthenticator(new UsernamePasswordAuthenticator(gitblit)); | |||
| if(gssAuthenticator != null) { | |||
| sshd.setGSSAuthenticator(gssAuthenticator); | |||
| } | |||
| sshd.setUserAuthFactories(userAuthFactories); | |||
| sshd.setSessionFactory(new SshServerSessionFactory()); | |||
| sshd.setFileSystemFactory(new DisabledFilesystemFactory()); | |||
| sshd.setTcpipForwardingFilter(new NonForwardingFilter()); | |||
+ 2
- 0
src/test/config/test-gitblit.properties
View File
| @@ -9,6 +9,8 @@ git.enableGitServlet = true | |||
| git.daemonPort = 8300 | |||
| git.sshPort = 29418 | |||
| git.sshKeysManager = com.gitblit.transport.ssh.MemoryKeyManager | |||
| git.sshWithKrb5 = true | |||
| git.sshAuthenticatorsOrder = password, publickey,gssapi-with-mic,invalid | |||
| groovy.scriptsFolder = src/main/distrib/data/groovy | |||
| groovy.preReceiveScripts = blockpush | |||
| groovy.postReceiveScripts = sendmail | |||
+ 1
- 0
src/test/java/com/gitblit/tests/JschConfigTestSessionFactory.java
View File
| @@ -21,6 +21,7 @@ public class JschConfigTestSessionFactory extends JschConfigSessionFactory { | |||
| @Override | |||
| protected void configure(OpenSshConfig.Host host, Session session) { | |||
| session.setConfig("StrictHostKeyChecking", "no"); | |||
| session.setConfig("PreferredAuthentications", "password"); | |||
| } | |||
| @Override | |||
+ 8
- 0
src/test/java/com/gitblit/tests/SshUnitTest.java
View File
| @@ -24,13 +24,18 @@ import java.net.SocketAddress; | |||
| import java.security.KeyPair; | |||
| import java.security.KeyPairGenerator; | |||
| import java.security.PublicKey; | |||
| import java.util.ArrayList; | |||
| import java.util.List; | |||
| import java.util.concurrent.atomic.AtomicBoolean; | |||
| import org.apache.sshd.ClientChannel; | |||
| import org.apache.sshd.ClientSession; | |||
| import org.apache.sshd.SshClient; | |||
| import org.apache.sshd.client.ServerKeyVerifier; | |||
| import org.apache.sshd.common.NamedFactory; | |||
| import org.apache.sshd.common.util.SecurityUtils; | |||
| import org.apache.sshd.client.UserAuth; | |||
| import org.apache.sshd.client.auth.UserAuthPublicKey; | |||
| import org.junit.After; | |||
| import org.junit.AfterClass; | |||
| import org.junit.Before; | |||
| @@ -102,6 +107,9 @@ public abstract class SshUnitTest extends GitblitUnitTest { | |||
| return true; | |||
| } | |||
| }); | |||
| List<NamedFactory<UserAuth>> userAuthFactories = new ArrayList<>(); | |||
| userAuthFactories.add(new UserAuthPublicKey.Factory()); | |||
| client.setUserAuthFactories(userAuthFactories); | |||
| client.start(); | |||
| return client; | |||
| } | |||
Loading…