Package org.apache.sshd.server.auth.gss
Class GSSAuthenticator
- java.lang.Object
-
- org.apache.sshd.server.auth.gss.GSSAuthenticator
-
public class GSSAuthenticator extends Object
Class providing basic GSS authentication services. Can be used as-is, but is often extended to provide environment specific implementations.- Author:
- Richard Evans
-
-
Constructor Summary
Constructors Constructor Description GSSAuthenticator()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description GSSCredential
getGSSCredential(GSSManager mgr)
Overridable method to get GSS accept credential suitable for the current environment.GSSManager
getGSSManager()
Overridable method to get GSS manager suitable for current environment.void
setKeytabFile(String keytabFile)
Set the location of the Kerberos keytab.void
setServicePrincipalName(String servicePrincipalName)
Set the service principal name to be used.boolean
validateIdentity(ServerSession session, String identity)
Validate the source identity obtained from the context after negotiation is complete.boolean
validateInitialUser(ServerSession session, String user)
Validate the user name passed in the initial SSH_MSG_USERAUTH_REQUEST message.
-
-
-
Method Detail
-
getGSSManager
public GSSManager getGSSManager()
Overridable method to get GSS manager suitable for current environment.- Returns:
- A new manager
-
getGSSCredential
public GSSCredential getGSSCredential(GSSManager mgr) throws UnknownHostException, LoginException, GSSException
Overridable method to get GSS accept credential suitable for the current environment. The default implementation uses a Kerberos key table.- Parameters:
mgr
- The GSS manager- Returns:
- The credential; if the result is
null
gssapi authentication fails immediately - Throws:
UnknownHostException
- If the local host name could not be determinedLoginException
- If the subject could not be foundGSSException
- If the credential could not be obtained
-
validateInitialUser
public boolean validateInitialUser(ServerSession session, String user)
Validate the user name passed in the initial SSH_MSG_USERAUTH_REQUEST message. This is sort of mandated by RFC 4462, but it may be more useful to wait for the GSS negotiation to complete. The default implementation here always succeeds.- Parameters:
session
- The current sessionuser
- The user name from the initial request- Returns:
true
if the user is valid,false
if invalid
-
validateIdentity
public boolean validateIdentity(ServerSession session, String identity)
Validate the source identity obtained from the context after negotiation is complete. The default implementation here always succeeds.- Parameters:
session
- The current sessionidentity
- The identity from the GSS context- Returns:
true
if the identity is valid,false
if invalid
-
setServicePrincipalName
public void setServicePrincipalName(String servicePrincipalName)
Set the service principal name to be used. The default is host/hostname.- Parameters:
servicePrincipalName
- The principal name
-
setKeytabFile
public void setKeytabFile(String keytabFile)
Set the location of the Kerberos keytab. The default is defined by the JRE.- Parameters:
keytabFile
- The location of the keytab
-
-