Currently, I am able to authenticate users in a java application by using JAAS and grabbing the ticket-granting-ticket that is sent from a Windows server running Active Directory. This is easily done with the Krb5LoginModule in java.
Now I would like to run an ssh command from my java application and use my TGT to enable ssh not to ask for password. I have seen some tutorials (OpenSSH & Kerberos) for getting ssh to work with kerberos, but they use kinit to get their TGT and the ticket is stored in /tmp/krbcc_XXX. Then after the ticket is generated they can ssh freely.
I could write the TGT to disk and store it in /tmp/krbcc_XXX or I could run the ssh command in a PrivilegedAction, however I don't know if either will work. Is there an accepted way to do this?
Basically, I would like to call something like this and have it not ask me for a password:
// Create Command.
List<String> arguments = new ArrayList<String>();
arguments.addAll(Arrays.asList("ssh", "user#host", "xterm"));
// Run SSH command.
ProcessBuilder process = new ProcessBuilder(arguments).start();
You have to clarify first who will initiate the SSH request. Java or the underlying Linux/Unix system. If you go with the latter, this is not cross-platform and not the Java way. You should use a Java SSH impl which supports Keberos. Everything should go smooth. JSch is a pure Java impl with gss-api-with-mic support.
On the other hand, you could try to get the private credentials from the Subject created with the LoginContext and write it to the default CC file location.. After you have done that, try klist. If it reads the cc file, you're done. If this does not work, you could examine Sun's CC reader code and reverse it. Probably, the sun.security.krb5.internal.ccache.FileCredentialsCache is the interesting one along with its update and save methods. The task is to have the private subject credentials be compatible with the desired class sun.security.krb5.internal.ccache.Credentials.
Note: This solution is completely Sun-dependent. I would go for the first approach or you rather run kinit first.
Related
I am maintaining an application in our company (written in C#), which runs on a jumphost and provides the functionality to search across different servers and initiate a PuTTY connection to that server. For this the application currently starts the PuTTY process and passes arguments, like the hostname, username and password. The password for each server is retrieved from a password manager service. The arguments are passed to PuTTY through the command line interface. So the purpose of the application is to automate password retrieval and login to different servers.
The problem with the current approach is, that in the Windows Task Manager its possible for an administrator to see all started PuTTY instances and the corresponding credentials as command line arguments.
So far I haven't found any practical solution to circumvent this. These are the things I researched so far:
Instead of passing password argument, using SendKeys to type password into the promt: Unreliable, as there is no way to read the PuTTY output and know when the application is ready for the input to be typed in.
Using Plink instead of PuTTY and passing arguments through stdin: Plink supports stdin / stdout communication, however the terminal functionality is very limited and not usable in practice after the login was successful.
Modifying PuTTY to mask password: I have seen some suggestions, to modify the PuTTY source code, to overwrite the password in the main args, once the application started. However, this solution seems to only work on Linux, not Windows.
Using SSH.NET library to provide my own SSH terminal implementation: The SSH.NET library seems to be similarly to Plink more suitable for issuing commands programmatically, but not for opening a terminal for the user. I guess it would require a lot of work to implement a full terminal.
Some ideas, that might work:
Modify the PuTTY code, so that arguments can be passed through stdin: Could work, but I don't know how easy that would be, as I don't have very good C knowledge.
Use an alternate client, that supports stdin output. The Java library JSch looks quite powerful and seems to already include a terminal. Would it be possible to create a standalone application, that can a receive stdin and use that to open a terminal and auto login?
Any further suggestions would be greatly appreciated. Are you aware of any other Windows alternative to PuTTY, which supports passing credentials in a more secure way?
Following the suggestion of Martin Prikryl I was able to create a minimal example, which creates a NamedPipe in C# and passes it as a pwfile argument to PuTTY:
public void CreatePipe()
{
var server = new NamedPipeServerStream("SecretPipe");
server.WaitForConnection();
StreamWriter writer = new StreamWriter(server);
writer.Write("top!!secret");
writer.Flush();
server.Dispose();
}
Then PuTTY can be started as follows with the pipe as pwfile argument:
putty.exe -l testuser -pwfile "\\.\PIPE\SecretPipe" hostname
Since 0.77, PuTTY can read the password from a file using -pwfile switch.
when I run kinit ganesh#abc.com it asks for the password when I run through the terminal. I am trying to build same as web application using java
Acceptance criteria:-
password should pass through UI and we should able connect to the server. i.e password which we pass through UI should assign asa password.
I would recommend you to use Jsch, you can find this library here
http://www.jcraft.com/jsch
And an example or ssh connection here
http://www.jcraft.com/jsch/examples/Shell.java.html
If you're using OpenSSH ssh client, you can try implementing passing password via a companion program, specified via SSH_ASKPASS variable. Basically, you need SSH_ASKPASS to point to a binary ssh would run, and that binary must output the password on stdout.
Check this answer: How to make ssh receive the password from stdin for more details and a concrete example.
The downside is, you need an external binary - and you need to think about its security. For example, if the binary is a dynamically-generated shell script in /tmp - you need strict filesystem permissions so no one but your ssh child process can read or execute it. And if the binary itself is static and takes password from, for example, an environment variable, you must make sure that SSH won't accidentally pass this variable to remote host (e.g. via accidentally specified SendEnv).
You can use some Java SSH library (like suggested Jsch - there is a list here: SSH library for Java), if that fits your requirements. It should be the most flexible option - in terms of control you have over SSH client behavior, unless you want something Jsch doesn't support.
Also, I'd strongly suggest to consider not using passwords, but your server having a private key, and servers you connect to appending its public key to ~/.ssh/authorized_keys (unless you need password-based logins for exactly this purpose, of course). If that's a feasible scenario, you can avoid sharing any sensitive information entirely, significantly improving the security.
I have embedded a JSCH SSH Java applet in a web page and need to know if it's possible to run a script (of any language like PHP) to automate logging in and running commands. I have heard of expect4j and java robot but cannot see any way to implement it. Keep in mind, I'm not great with Java so I don't know everything about it. Any help is appreciated.
JSch is an SSH client library, and by itself only allows programmatically steered connections to another server. The user interaction has to be build around it by users of the library.
The JCTerm applet provided on the website also contains a terminal emulator in form of a Java GUI. If you only want to automatically execute some command (and maybe show its output in the web page), you could do everything on the server side, and don't need the applet with its terminal emulator. (You would need either some PHP-Java bridge on the server side or some Java-enabled webserver with a Servlet or similar, though.)
(If the web server would be the same machine as the server you'll run the command on you wouldn't even need the SSH connection, but could execute the stuff directly.)
If the server can't do anything (i.e. a "static server"), an applet is the way to go, yes. You can either modify JCTerm or create a new applet from scratch (using JCTerm's connection code as an example on how to connect to to the server).
If you don't have to fear any malicious users in your LAN (i.e. between web server and user, the SSH server doesn't matter), you can embedd the password (or preferably a private key for public-key authentication) into the applet's jar file, and pass it to the library for connection. (You should also include the server's public key for easier checking.)
Provide the command(s) to a ChannelExec (instead of a ChannelShell), this makes it easier to provide input (if necessary) and capture the output. Pipe the output in a text area, or simply use a green/red label saying if the command was successfully executed.
(I might have a look at this in the next days and try to do it. No promise, though.)
I spent a lot of time developing an application that would use JSch and connect to a remote machine thru ssh to perform some command-line operations. However I learned that these operations can be performed at the localhost as well (my app is running on localhost). Now... I am too lazy to rewrite all the code and honestly I feel bad since I got really attached to JSch. Is there a way to trick JSch to connect to localhost instead or tell it in some way to just use localhost even though the code says otherwise? :)
P.S. in case it's not possible, how come the regular Proccess class doesnt support setOutputStream and setErrStream like JSch does, but only getInputStream and getErrorStream ??
As long as your local machine has an SSH server running (and your application has the necessary login credentials), you can use JSch to connect to your local machine, too - simply indicate localhost (or 127.0.0.1) as the host name for the connection.
This will have some overhead, though, since you are encrypting and decrypting all the data, which is not really necessary to execute some command locally. (On the other hand, this would allow you to run the commands as another user, for which you otherwise would need something like sudo or su, or RunAs under Windows.)
JSch implements the setOutputStream and setErrStream on top of the corresponding get... methods - it uses something similar to a PipedInputStream internally and a separate thread which shovels the data between those streams.
As JSch is open source, you can simply look how this is done (in the Channel class, if I remember right), and copy the relevant methods to your class which does the same things for a Process.
Is there a way to tell JSch not to encrypt the data?
You can use the none cipher, e.g. no encryption. This is by default disabled in all general-purpose clients and servers (as it defeats half of the purpose of SSH), but with the right configuration you can enable it. In JSch you can use
session.setConfig("cipher.s2c", "none,..."); // server to client
session.setConfig("cipher.c2s", "none,..."); // client to server
(This configuration option is the list of all options the client supports - see the documentation of setConfig for all supported values. The server will normally select the first one of this list that it also supports. To force no encryption (or canceling the connection), list only none.)
I don't know how to enable this in the SSH server - read your server's documentation. (And enable it only for localhost, if possible.)
The recommended way of using it is to switch to the none cipher only after authentication (so the authentication is still encrypted), but for localhost this might not be necessary. (You can use session.rekey() to switch the cipher (and key) after changing the configuration.)
Im currently using a java application to run commands on a unix box by invoking an instance of the bash as follows --
proc = Runtime.getRuntime().exec("/bin/bash", null, wd);
and Im executing commands on the box by Printwriter as follows --
PrintWriter out = new PrintWriter(new BufferedWriter(new OutputStreamWriter(proc.getOutputStream())), true);
Now, as a requirement I need to ssh onto another host, invoke an instance of that host's bash and run some commands. If this can be done without having to enter the password, it would be great. If not, how do I make the application to enter the 'password' at the right time? Reading the output of the shh command and based on that, writing out the password does not seem appealing.
Any pointers on the above would be of great help.
Regards
p1nG
Use a ssh-library written in Java instead of runtime-exec'ing a ssh program.
You can use SSH-2 for java, which seems to be actively maintained.
Alternatively, set up a pubic/private key for password-less authentication, and store the private key in the ~/.ssh folder of the user running the java program.
You can setup password-less SSH authentication. Here is a step by step guide for setting up the same.
http://manjeetdahiya.com/2011/03/03/passwordless-ssh-login/
I can't imagine how you're going to avoid supplying a password. If you could log in to a system without supplying a password just by somehow telling it that supplying a password would be inconvenient for you, this would rather destroy the value of any security. Security Guard: "Do you have an ID that allows you access to this building?" Visitor: "Yes officer, but it's too much trouble to get it out of my wallet." Guard: "Oh, okay then, go rght ahead in."
Rather than exec'ing, you probably want to establish a socket connection and pass messages back and forth cleanly. Or as others have noted, use a library that does the grunt work for you.