net.sf.sshapi.util

Class DefaultGSSAuthenticator

java.lang.Object

net.sf.sshapi.util.DefaultGSSAuthenticator

All Implemented Interfaces:

SshAuthenticator, SshGSSAPIAuthenticator, SshPasswordPrompt

public class DefaultGSSAuthenticator
extends java.lang.Object
implements SshGSSAPIAuthenticator

Default implementation of an SshGSSAPIAuthenticator. This should suffice for most uses. See the documentation for Krb5LoginModule for more details.

Constructor Summary

Constructors

Constructor and Description
DefaultGSSAuthenticator(java.lang.String principal) Constructor.

Method Summary

Modifier and Type	Method and Description
javax.security.auth.login.Configuration	getConfiguration() Get the JAAS configuration used for authentication.
java.lang.String	getPrincipal() Get the name of the principal that should be used.
java.lang.String	getTypeName() Get the name of this authenticator (e.g "password", "publickey" etc).
boolean	isDebug() Get whether GSSAPI operations should output debug.
boolean	isDoNotPrompt() True if you do not want to be prompted for the password if credentials can not be obtained from the cache or keytab.(Default is false) If set to true authentication will fail if credentials can not be obtained from the cache or keytab.
boolean	isStoreKey() Get if you want the principal's key to be stored in the Subject's private credentials.
boolean	isTryFirstPass() Get if the username and password should be retrieved from the module's shared state using "javax.security.auth.login.name" and "javax.security.auth.login.password" as the respective keys.
boolean	isUseKeyTab() This is true if you want the module to get the principal's key from the the keytab.(default value is False) If keyatb is not set then the module will locate the keytab from the Kerberos configuration file.
boolean	isUseTicketCache() This is true if you want the TGT to be obtained from the ticket cache.
char[]	promptForPassword(SshClient session, java.lang.String message) Invoked when a password.
void	setDebug(boolean debug) Set whether GSSAPI operations should output debug.
void	setDoNotPrompt(boolean doNotPrompt) Set this to true if you do not want to be prompted for the password if credentials can not be obtained from the cache or keytab.(Default is false) If set to true authentication will fail if credentials can not be obtained from the cache or keytab.
void	setPrincipal(java.lang.String principal) Set the name of the principal that should be used.
void	setStoreKey(boolean storeKey) Set this to True to if you want the principal's key to be stored in the Subject's private credentials.
void	setTryFirstPass(boolean tryFirstPass) Set to true to retrieve the the username and password from the module's shared state using "javax.security.auth.login.name" and "javax.security.auth.login.password" as the respective keys.
void	setUseKeyTab(boolean useKeyTab) Set this to true if you want the module to get the principal's key from the the keytab.(default value is False) If keyatb is not set then the module will locate the keytab from the Kerberos configuration file.
void	setUseTicketCache(boolean useTicketCache) Set this to true, if you want the TGT to be obtained from the ticket cache.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

DefaultGSSAuthenticator

public DefaultGSSAuthenticator(java.lang.String principal)

Constructor.

Parameters:

principal -

Method Detail

setPrincipal

public void setPrincipal(java.lang.String principal)

Set the name of the principal that should be used. It could be simple username such as "testuser" or a service name such as "host/testhost.eng.sun.com" . You can use principal option to set the principal when there are credentials for multiple principals in the keyTab or when you want a specific ticket cache only.

Parameters:

principal - principal

getPrincipal

public java.lang.String getPrincipal()

Get the name of the principal that should be used. It could be simple username such as "testuser" or a service name such as "host/testhost.eng.sun.com" . You can use principal option to set the principal when there are credentials for multiple principals in the keyTab or when you want a specific ticket cache only.

Returns:

principal

isUseKeyTab

public boolean isUseKeyTab()

This is true if you want the module to get the principal's key from the the keytab.(default value is False) If keyatb is not set then the module will locate the keytab from the Kerberos configuration file. If it is not specifed in the Kerberos configuration file then it will look for the file {user.home}{file.separator}krb5.keytab.

Returns:

use key tab.

See Also:

setUseKeyTab(boolean)

setUseKeyTab

public void setUseKeyTab(boolean useKeyTab)

Set this to true if you want the module to get the principal's key from the the keytab.(default value is False) If keyatb is not set then the module will locate the keytab from the Kerberos configuration file. If it is not specifed in the Kerberos configuration file then it will look for the file {user.home}{file.separator}krb5.keytab.

Parameters:

useKeyTab - use key tab.

isDebug

public boolean isDebug()

Get whether GSSAPI operations should output debug.

Returns:

debug

setDebug

public void setDebug(boolean debug)

Set whether GSSAPI operations should output debug.

Parameters:

debug - debug

isDoNotPrompt

public boolean isDoNotPrompt()

True if you do not want to be prompted for the password if credentials can not be obtained from the cache or keytab.(Default is false) If set to true authentication will fail if credentials can not be obtained from the cache or keytab.

Returns:

do not prompt

setDoNotPrompt

public void setDoNotPrompt(boolean doNotPrompt)

Set this to true if you do not want to be prompted for the password if credentials can not be obtained from the cache or keytab.(Default is false) If set to true authentication will fail if credentials can not be obtained from the cache or keytab.

Parameters:

doNotPrompt - do not prompt

isStoreKey

public boolean isStoreKey()

Get if you want the principal's key to be stored in the Subject's private credentials.

Returns:

store principal's key in subjects private credentials

setStoreKey

public void setStoreKey(boolean storeKey)

Set this to True to if you want the principal's key to be stored in the Subject's private credentials.

Parameters:

storeKey - store principal's key in subjects private credentials

isTryFirstPass

public boolean isTryFirstPass()

Get if the username and password should be retrieved from the module's shared state using "javax.security.auth.login.name" and "javax.security.auth.login.password" as the respective keys. The retrieved values are used for authentication. If authentication fails, the module uses the CallbackHandler to retrieve a new username and password, and another attempt to authenticate is made. If the authentication fails, the failure is reported back to the calling application

Returns:

try first pass

setTryFirstPass

public void setTryFirstPass(boolean tryFirstPass)

Set to true to retrieve the the username and password from the module's shared state using "javax.security.auth.login.name" and "javax.security.auth.login.password" as the respective keys. The retrieved values are used for authentication. If authentication fails, the module uses the CallbackHandler to retrieve a new username and password, and another attempt to authenticate is made. If the authentication fails, the failure is reported back to the calling application

Parameters:

tryFirstPass - try first pass

isUseTicketCache

public boolean isUseTicketCache()

This is true if you want the TGT to be obtained from the ticket cache. This is false if you do not want this module to use the ticket cache. (Default is False). This module will search for the ticket cache in the following locations: For Windows 2000, it will use Local Security Authority (LSA) API to get the TGT. On Solaris and Linux it will look for the ticket cache in /tmp/krb5cc_uid where the uid is numeric user identifier. If the ticket cache is not available in either of the above locations, or if we are on a different WIndows platform, it will look for the cache as {user.home}{file.separator}krb5cc_{user.name}. You can override the ticket cache location by using ticketCache

Returns:

use ticket cache

setUseTicketCache

public void setUseTicketCache(boolean useTicketCache)

Set this to true, if you want the TGT to be obtained from the ticket cache. Set this option to false if you do not want this module to use the ticket cache. (Default is False). This module will search for the tickect cache in the following locations: For Windows 2000, it will use Local Security Authority (LSA) API to get the TGT. On Solaris and Linux it will look for the ticket cache in /tmp/krb5cc_uid where the uid is numeric user identifier. If the ticket cache is not available in either of the above locations, or if we are on a different WIndows platform, it will look for the cache as {user.home}{file.separator}krb5cc_{user.name}. You can override the ticket cache location by using ticketCache

Parameters:

useTicketCache - use ticket cache

getConfiguration

public javax.security.auth.login.Configuration getConfiguration()

Description copied from interface: SshGSSAPIAuthenticator

Get the JAAS configuration used for authentication.

Specified by:

getConfiguration in interface SshGSSAPIAuthenticator

Returns:

cofiguration

getTypeName

public java.lang.String getTypeName()

Description copied from interface: SshAuthenticator

Get the name of this authenticator (e.g "password", "publickey" etc).

Specified by:

getTypeName in interface SshAuthenticator

Returns:

name

promptForPassword

public char[] promptForPassword(SshClient session,
                                java.lang.String message)

Description copied from interface: SshPasswordPrompt

Invoked when a password.

Specified by:

promptForPassword in interface SshPasswordPrompt

Parameters:

session - session

message - message

Returns:

password or null if password is not available (e.g. cancelled)