Package org.apache.sshd.server.auth.gss
Class GSSAuthenticator
java.lang.Object
org.apache.sshd.server.auth.gss.GSSAuthenticator
Class providing basic GSS authentication services. Can be used as-is, but is often extended to provide environment
specific implementations.
- Author:
- Richard Evans
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionOverridable method to get GSS accept credential suitable for the current environment.Overridable method to get GSS manager suitable for current environment.void
setKeytabFile
(String keytabFile) Set the location of the Kerberos keytab.void
setServicePrincipalName
(String servicePrincipalName) Set the service principal name to be used.boolean
validateIdentity
(ServerSession session, String identity) Validate the source identity obtained from the context after negotiation is complete.boolean
validateInitialUser
(ServerSession session, String user) Validate the user name passed in the initial SSH_MSG_USERAUTH_REQUEST message.
-
Constructor Details
-
GSSAuthenticator
public GSSAuthenticator()
-
-
Method Details
-
getGSSManager
Overridable method to get GSS manager suitable for current environment.- Returns:
- A new manager
-
getGSSCredential
public GSSCredential getGSSCredential(GSSManager mgr) throws UnknownHostException, LoginException, GSSException Overridable method to get GSS accept credential suitable for the current environment. The default implementation uses a Kerberos key table.- Parameters:
mgr
- The GSS manager- Returns:
- The credential; if the result is
null
gssapi authentication fails immediately - Throws:
UnknownHostException
- If the local host name could not be determinedLoginException
- If the subject could not be foundGSSException
- If the credential could not be obtained
-
validateInitialUser
Validate the user name passed in the initial SSH_MSG_USERAUTH_REQUEST message. This is sort of mandated by RFC 4462, but it may be more useful to wait for the GSS negotiation to complete. The default implementation here always succeeds.- Parameters:
session
- The current sessionuser
- The user name from the initial request- Returns:
true
if the user is valid,false
if invalid
-
validateIdentity
Validate the source identity obtained from the context after negotiation is complete. The default implementation here always succeeds.- Parameters:
session
- The current sessionidentity
- The identity from the GSS context- Returns:
true
if the identity is valid,false
if invalid
-
setServicePrincipalName
Set the service principal name to be used. The default is host/hostname.- Parameters:
servicePrincipalName
- The principal name
-
setKeytabFile
Set the location of the Kerberos keytab. The default is defined by the JRE.- Parameters:
keytabFile
- The location of the keytab
-