As we are in corporate environment and with basic configuration changes, SSH Kerberos working seamlessly in OpenSSH
SSH -K server#domain.com
Since default Kerberos setup didn't work, we have installed MIT Kerberos and generated ktab files for the application uses.
However we are not aware how to setup Kerberos settings and properties for JSch. Password based authentication is working fine. But not sure how to implement the gssapi-with-mic. Any pointers or suggestion would be grateful.
Jsch connection with Kerberos
How to create these files with valid the values and explanation would
be grateful.
JSch is here for more than a decade, I don't see any single workable
sample with Kerberos/GSSAPI authentication online. If anyone
successfully implemented, kindly let me know.
JSch has Kerberos authentication enabled by default (what is a frequent cause of problems).
So you should not need to do anything special to use it in JSch. Just try to login with username only.
Related
I am quite new to working with certificates and security, so pardon me if this is a no-brainer to others. I have followed this guide to set up my Grails application to run on HTTPS with self-signed certificates.
I am trying to establish 2-way SSL with another HTTPS network (a Nifi standalone instance) running on the same machine. I can get the Nifi instance to talk to Grails over HTTPS, but I am having issues with Grails talking to Nifi (specifically to a ListenHTTP processor).
I was hoping someone could advise how to use certificate authentication in Grails when posting over HTTPS.
Nifi uses certificate authentication; however per the above guide Grails only specifies a single keystore (for receiving requests?) so I'm a bit thrown off. I can successfully CURL to Nifi's REST API by specifying the --cert and --key properties, but since the final product will be a WAR on a client machine I want to set this up the 'right way', and I believe leaving those files on the client machine is a really big no-no for security.
During early development RestBuilder was sufficient for 2-way comms over HTTP, however, I am unable to find any mention of using it with certificate authentication (only basic authentication is covered in the documentation?).
HTTPBuilder shows up a lot when I looked for alternatives, however looking at the relevant documentation (line 139 'certificate()') it states that it takes a whole keystore JKS and password. I think this is close but not quite what I am looking for considering I only have one keystore; I am open to correction here.
Please note that I will be unavailable to respond until at least the day after this question was posted.
When making an outgoing HTTPS connection, if the remote endpoint (in this case Apache NiFi) requires client certificate authentication, the originating endpoint (Grails) will attempt to provide a certificate. The certificate that Grails is using to identify itself as a service is fine to use in this scenario, provided:
The certificate either does not have the ExtendedKeyUsage extension set, or if it is set, both ServerAuth and ClientAuth values are present. If ClientAuth is missing, the system will not allow this certificate to be used for client authentication, which is the necessary role in this exchange.
The certificate has a valid SubjectAlternativeName value which matches the hostname it is running on. RFC 6125 prescribes that SAN values should be used for certificate identity rather than Distinguished Name (DN) and Common Name (CN). So if the Grails app is running on https://grails.example.com, the SAN must contain values for grails.example.com or *.example.com.
The certificate must be imported into NiFi's truststore in order to allow NiFi to authenticate a presenter of this certificate.
NiFi must have ACL permissions in place for this "user". This can be done through the UI or by modifying the conf/authorizers.xml file before starting NiFi for the first time. See NiFi Admin Guide - Authorizers Configuration for more information.
Your concern for leaving the cert.pem and key.key files on the client machine is understandable, but the sensitive information contained therein is the same data that's in your keystore. At some point, the private key must be accessible by the Grails app in order to perform HTTPS processes, so having it in the keystore is functionally equivalent (you don't mention having a password on the *.key file, but obviously you should have a password on the keystore).
I am trying to connect opc kepware server through a Java program, I want to know what jar files can be used to connect to KepwareserverEx.V5 and what is the code without the use of password and username.
I have referenced http://www.opcconnect.com/uakit.php, and https://github.com/digitalpetri/ua-server-sdk, but it doesn't have anything that doesn't connect without a username and a pawssword. I have a program in vb that connects to kepware using Interop.OPCAutomation.dll file and uses the code:
ConnectedOPCServer = New OPCAutomation.OPCServer
ConnectedOPCServer.Connect("Kepware.KEPServerEX.V5", "")
ConnectedGroup = ConnectedOPCServer.OPCGroups.Add("MPM Group")
ConnectedGroup.UpdateRate = 1000
ConnectedGroup.IsSubscribed = True
ConnectedGroup.IsActive = True
I want to write Java code in a similar way. Searched through the internet to see various examples, but none have the above connection without a username and password not being specified.
First of all, I assume that you have created an "anonymous" and "SecurityPolicy.None" endpoint on KepServerEX.
You refer to digitalpetri's old and server SDK. The new project is called "Milo". I can recommend you take a look at the Milo project's client SDK examples using this link. There is an application of anonymous identity and none security policy.
In terms of jar, you can either build your client-sdk (see example here) or directly download the client-sdk jar from Maven Central.
NB Milo is considered to be in incubation. That is to say, it is not mature yet. Be careful using it in production systems.
Yes that's right. The security policy is none on the KepwareServerEX. I made some permission changes on the server where Kepware exists, so that my localhost computer would be able to talk to the Kepware server host. Provided credentials for my localhost, and able to connect.
When I try to connect to my EC2 server, using Netbeans(Git-Remote-Push), I get "incorrect credentials coonecting to repository at SSH://xx.xx.xxx.xx/git-repo"
In my ide.log, I get the following message:
"WARNING [org.netbeans.modules.progress.spi.InternalHandle]: Cannot call progress on a task that was never started at org.netbeans.modules.git.client.GitProgressSupport.setProgressMessage(GitProgressSupport.java:247)
INFO [org.netbeans.modules.git.ui.repository.remote.SelectUriStep]: Auth failed when accessing ssh://54.77.226.97/git-repo
com.jcraft.jsch.JSchException: Algorithm negotiation fail"
Steps I have taken to overcome the problem.
I can connect using git-bash OK
I have ussed ssh-keygen to generate the keys
I have downloaded JCE 8 unlimited strength policy files.
Any help much appreciated, thanks
"Algorithm negotiation fail" means that the SSH-Client implementation netbeans uses and the server implementation, cannot find a mutual algorithm to encrypt/compress.
Reason could be that an administrator doesn't want the server to support insecure or doubtful algorithms from now on. So you have to find an update for Netbeans.
I can execute a command using my kerberos ticket on the kerberos server by running
ssh hostname ls
it uses the kerberos ticket I got earlier by running kinit on the client.
I want to do the same thing through a java client. I have a client that can SSH to that machine using the privatekey or the username and password.
I want the java client to use the kerberos ticket.
How can I do that?
Well from what i understand your problem statement is:
Use kinit to generate a kerberos ticket
Use Java Client to send the ticket generated for authentication
I am also assuming you are writing the code for the java client:
Well in that case you to use a jaas.conf
Sample Jaas conf:-
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
isInitiator=true
useTicketCache=true
doNotPrompt=true;
};
Set jaas conf via system property:-
-Djava.security.auth.login.config=jaasconffilepath
This will allow you to pick up whatever is defined in default credential cache(in your case that is populated with kinit)
Once you do this:-
LoginContext lc = new LoginContext();
lc.login()
After this use Subject.doAs to elevate privileges and get your job done:-
Subject.doAs(lc.getSubject(), new YourAction())
Here YourAction is a class you define (which must implement PrivilegedExceptionAction) and in its run method do whatever you want to.
P.S In case you are not "coding" your java client you need to check for jaas documentation of the module in question and see if it is supported or not. Then all you need to do is use your jaas.conf file and you are good to go.
P.S You can avoid kinit all together by putting useTicketCache=false and doNotPrompt=false. Then you can specify password and username in your client and it will get you ticket.
P.S Please ensure you define the system property for krb5.conf for any of this to work: -D java.security.krb5.conf=krb5conffilepath
I thought it could be a good idea to use kerberos on Windows 2003 to authenticate a Java server application against active directory. That way, we will not have to put a password in a file. But this does not work.
[2012-09-20 17:42:19,301] ERROR Cannot authenticate server via JAAS
javax.security.auth.login.LoginException: No LoginModules configured for KerberosLogin
at javax.security.auth.login.LoginContext.init(LoginContext.java:273)
at javax.security.auth.login.LoginContext.<init>(LoginContext.java:349)
If I run the exact same code and configuration on Windows XP, then authentication works. In both cases I am using Java 7 u07.
It turned out my TGT that I had aquired via JDK's kinit command had expired.