Package org.apache.sshd.server.auth.gss

Class GSSAuthenticator

java.lang.Object

org.apache.sshd.server.auth.gss.GSSAuthenticator

public class GSSAuthenticator
extends Object

Class providing basic GSS authentication services. Can be used as-is, but is often extended to provide environment specific implementations.

Author:

Richard Evans

Constructor Summary

Constructors

Constructor	Description
GSSAuthenticator()

Method Summary

Modifier and Type	Method	Description
GSSCredential	getGSSCredential(GSSManager mgr)	Overridable method to get GSS accept credential suitable for the current environment.
GSSManager	getGSSManager()	Overridable method to get GSS manager suitable for current environment.
void	setKeytabFile(String keytabFile)	Set the location of the Kerberos keytab.
void	setServicePrincipalName(String servicePrincipalName)	Set the service principal name to be used.
boolean	validateIdentity(ServerSession session, String identity)	Validate the source identity obtained from the context after negotiation is complete.
boolean	validateInitialUser(ServerSession session, String user)	Validate the user name passed in the initial SSH_MSG_USERAUTH_REQUEST message.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

GSSAuthenticator

public GSSAuthenticator()

Method Details

getGSSManager

public GSSManager getGSSManager()

Overridable method to get GSS manager suitable for current environment.

Returns:

A new manager

getGSSCredential

public GSSCredential getGSSCredential(GSSManager mgr)
                               throws UnknownHostException,
LoginException,
GSSException

Overridable method to get GSS accept credential suitable for the current environment. The default implementation uses a Kerberos key table.

Parameters:

mgr - The GSS manager

Returns:

The credential; if the result is null gssapi authentication fails immediately

Throws:

UnknownHostException - If the local host name could not be determined

LoginException - If the subject could not be found

GSSException - If the credential could not be obtained

validateInitialUser

public boolean validateInitialUser(ServerSession session,
 String user)

Validate the user name passed in the initial SSH_MSG_USERAUTH_REQUEST message. This is sort of mandated by RFC 4462, but it may be more useful to wait for the GSS negotiation to complete. The default implementation here always succeeds.

Parameters:

session - The current session

user - The user name from the initial request

Returns:

true if the user is valid, false if invalid

validateIdentity

public boolean validateIdentity(ServerSession session,
 String identity)

Validate the source identity obtained from the context after negotiation is complete. The default implementation here always succeeds.

Parameters:

session - The current session

identity - The identity from the GSS context

Returns:

true if the identity is valid, false if invalid

setServicePrincipalName

public void setServicePrincipalName(String servicePrincipalName)

Set the service principal name to be used. The default is host/hostname.

Parameters:

servicePrincipalName - The principal name

setKeytabFile

public void setKeytabFile(String keytabFile)

Set the location of the Kerberos keytab. The default is defined by the JRE.

Parameters:

keytabFile - The location of the keytab