Package org.apache.sshd.server.auth.gss

Class GSSAuthenticator

  • public class GSSAuthenticator
extends Object
    Class providing basic GSS authentication services. Can be used as-is, but is often extended to provide environment specific implementations.
    Author:
    Richard Evans

    • Constructor Detail

      • GSSAuthenticator

        public GSSAuthenticator()

    • Method Detail

      • getGSSManager

        public GSSManager getGSSManager()
        Overridable method to get GSS manager suitable for current environment.
        Returns:
        A new manager

      • getGSSCredential

        public GSSCredential getGSSCredential​(GSSManager mgr)
                               throws UnknownHostException,
                                      LoginException,
                                      GSSException
        Overridable method to get GSS accept credential suitable for the current environment. The default implementation uses a Kerberos key table.
        Parameters:
        mgr - The GSS manager
        Returns:
        The credential; if the result is null gssapi authentication fails immediately
        Throws:
        UnknownHostException - If the local host name could not be determined
        LoginException - If the subject could not be found
        GSSException - If the credential could not be obtained

      • validateInitialUser

        public boolean validateInitialUser​(ServerSession session,
                                   String user)
        Validate the user name passed in the initial SSH_MSG_USERAUTH_REQUEST message. This is sort of mandated by RFC 4462, but it may be more useful to wait for the GSS negotiation to complete. The default implementation here always succeeds.
        Parameters:
        session - The current session
        user - The user name from the initial request
        Returns:
        true if the user is valid, false if invalid

      • validateIdentity

        public boolean validateIdentity​(ServerSession session,
                                String identity)
        Validate the source identity obtained from the context after negotiation is complete. The default implementation here always succeeds.
        Parameters:
        session - The current session
        identity - The identity from the GSS context
        Returns:
        true if the identity is valid, false if invalid

      • setServicePrincipalName

        public void setServicePrincipalName​(String servicePrincipalName)
        Set the service principal name to be used. The default is host/hostname.
        Parameters:
        servicePrincipalName - The principal name

      • setKeytabFile

        public void setKeytabFile​(String keytabFile)
        Set the location of the Kerberos keytab. The default is defined by the JRE.
        Parameters:
        keytabFile - The location of the keytab