1

I have a simple Java application which runs a ssh command on remote using Jsch. The implementation works for username and password.

Now, I've setup a Kerberos server and want to authenticate using the same. From a client system (Linux) I can ssh to remote and run commands using Kerberos authentication and it works fine.
Things I tried:
Initialise the kerberos user with: kinit -kt <keytab_file_path> <kUser>
Run ssh command: ssh <kUser>@<remote_host> uname -a
Above command works perfectly without asking me to authenticate using password.
Configuration details:

  • KDC server on: Linux 7.6
  • Client and server on: Linux 7.6
  • Kerberos user: kuser
  • kuser is also present on client and server system but do not have home directory
  • Jsch version: 0.1.50
  • Java version: Amazon Corretto 11.0.7
openjdk version "11.0.7" 2020-04-14 LTS
OpenJDK Runtime Environment Corretto-11.0.7.10.1 (build 11.0.7+10-LTS)
OpenJDK 64-Bit Server VM Corretto-11.0.7.10.1 (build 11.0.7+10-LTS, mixed mode)

Code snippet: 
    JSch jsch = new JSch();
    jsch.setLogger(new MyLogger());

    System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
    System.setProperty("java.security.auth.login.config", "/etc/krb5login.conf");
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
    System.setProperty("sun.security.krb5.debug", "true");
    System.setProperty("java.security.debug", "gssloginconfig,configfile,configparser,logincontext");
    System.setProperty("java.security.krb5.realm", "MYREALM.COM");
    System.setProperty("java.security.krb5.kdc", "myrealm.com");

    String user = "kuser";
    String host = "remote_host";
    String port = "22";

    try {
        System.out.println("Starting session");
        Session session = jsch.getSession(user ,host, Integer.parseInt(port));
        Properties config = new java.util.Properties();
        config.put("StrictHostKeyChecking", "no");
        config.put("PreferredAuthentications", "gssapi-with-mic");
        session.setConfig(config);
        System.out.println("Connecting to session");
        session.connect(20000);
        System.out.println("Opening Channel");
        Channel channel = session.openChannel("exec");

        System.out.println("Connecting to channel");
        // Creating BufferReader to read input from host
        BufferedReader bufferReader = new BufferedReader(new InputStreamReader(channel.getInputStream()));

        ((ChannelExec) channel).setCommand("uname -a");
        channel.connect();

        System.out.println("Command executed");
        StringBuilder stringBuilder = new StringBuilder();
        for (String string = bufferReader.readLine(); string != null; string = bufferReader.readLine()) {
            stringBuilder.append(string);
        }

        System.out.println(stringBuilder.toString());

        channel.disconnect();
        session.disconnect();
        System.out.println("DONE");

    } catch (Exception e) {
        System.out.println("Exception:");
        e.printStackTrace();
    }

Below is my JASS conf file:

com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  doNotPrompt=true
  principal="kuser"
  useKeyTab=true
  refreshKrb5Config=true
  keyTab="/etc/kuser.keytab"
  debug=true
  storeKey=true;
};

krb5.conf as below: 
[libdefaults]
 default_realm = MYREALM.COM
 default_ccache_name = KEYRING:persistent:%{uid}
 default_tkt_enctypes = camellia128-cts-cmac camellia256-cts-cmac hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1-kd rc4-hmac
 default_tgs_enctypes = camellia128-cts-cmac camellia256-cts-cmac hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1-kd rc4-hmac
 permitted_enctypes   = camellia128-cts-cmac camellia256-cts-cmac hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1-kd rc4-hmac

[realms]
 MYREALM.COM = {
  kdc = myrealm.com
  admin_server = myrealm.com
  default_domain = myrealm.com
 }

After running the above standalone java program, I get below exception: 
    Starting session
    Connecting to session
    INFO: Connecting to remote_host port 22
    INFO: Connection established
    INFO: Remote version string: SSH-2.0-OpenSSH_7.4
    INFO: Local version string: SSH-2.0-JSCH-0.1.50
    INFO: Authentications that can continue: gssapi-with-mic
    INFO: Next authentication method: gssapi-with-mic
    Java config name: /etc/krb5.conf
    Loading krb5 profile at /etc/krb5.conf
    Loaded from Java config
    Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /etc/kuser.keytab refreshKrb5Config is true principal is kuser tryFirstPass is false useFirstPass is false storePass is false clearPass is false
    Refreshing Kerberos configuration
    Java config name: /etc/krb5.conf
    Loading krb5 profile at /etc/krb5.conf
    Loaded from Java config
      KdcAccessibility: reset
      KdcAccessibility: reset
      KeyTabInputStream, readName(): MYREALM.com
      KeyTabInputStream, readName(): kuser
      KeyTab: load() entry length: 76; type: 18
      KeyTabInputStream, readName(): MYREALM.com
      KeyTabInputStream, readName(): kuser
      KeyTab: load() entry length: 60; type: 17
      KeyTabInputStream, readName(): MYREALM.com
      KeyTabInputStream, readName(): kuser
      KeyTab: load() entry length: 68; type: 16
      KeyTabInputStream, readName(): MYREALM.com
      KeyTabInputStream, readName(): kuser
      KeyTab: load() entry length: 60; type: 23
      KeyTabInputStream, readName(): MYREALM.com
      KeyTabInputStream, readName(): kuser
      KeyTab: load() entry length: 76; type: 26
      KeyTabInputStream, readName(): MYREALM.com
      KeyTabInputStream, readName(): kuser
      KeyTab: load() entry length: 60; type: 25
      KeyTabInputStream, readName(): MYREALM.com
      KeyTabInputStream, readName(): kuser
      KeyTab: load() entry length: 52; type: 8
      KeyTabInputStream, readName(): MYREALM.com
      KeyTabInputStream, readName(): kuser
      KeyTab: load() entry length: 52; type: 3
    Looking for keys for: kuser@MYREALM.com
    Added key: 3version: 4
    Found unsupported keytype (8) for kuser@MYREALM.com
    Found unsupported keytype (25) for kuser@MYREALM.com
    Found unsupported keytype (26) for kuser@MYREALM.com
    Added key: 23version: 4
    Added key: 16version: 4
    Added key: 17version: 4
    Added key: 18version: 4
    Looking for keys for: kuser@MYREALM.com
    Added key: 3version: 4
    Found unsupported keytype (8) for kuser@MYREALM.com
    Found unsupported keytype (25) for kuser@MYREALM.com
    Found unsupported keytype (26) for kuser@MYREALM.com
    Added key: 23version: 4
    Added key: 16version: 4
    Added key: 17version: 4
    Added key: 18version: 4
    default etypes for default_tkt_enctypes: 18 17 16 3 18 17 16 23.
      KrbAsReq creating message
      KrbKdcReq send: kdc=myrealm.com UDP:88, timeout=30000, number of retries =3, #bytes=199
      KDCCommunication: kdc=myrealm.com UDP:88, timeout=30000,Attempt =1, #bytes=199
      KrbKdcReq send: #bytes read=738
      KdcAccessibility: remove myrealm.com
    Looking for keys for: kuser@MYREALM.com
    Added key: 3version: 4
    Found unsupported keytype (8) for kuser@MYREALM.com
    Found unsupported keytype (25) for kuser@MYREALM.com
    Found unsupported keytype (26) for kuser@MYREALM.com
    Added key: 23version: 4
    Added key: 16version: 4
    Added key: 17version: 4
    Added key: 18version: 4
      EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
                    [Krb5LoginModule] authentication failed
    Message stream modified (41)
    INFO: Disconnecting from remote_host 22
    Exception:
    com.jcraft.jsch.JSchException: Auth fail
            at com.jcraft.jsch.Session.connect(Session.java:512)
            at com.example.TestJsch.main(TestJsch.java:49)

Thanks

Darshan Patil
  • 23
  • 6
  • What is the problem/question? – Useme Alehosaini Dec 12 '20 at 01:13
  • The Java program not able to connect to the remote server and execute the commands using Jsch and Kerberos. I've added the exception at the end of the post. It seems the keys it found in keytab file are not supported for something, but I'm not able to figure out the same. Tried multiple ways to solve this but not able to get it working. – Darshan Patil Dec 14 '20 at 05:00
  • Have you implemented it successfully ? – Chandru Feb 17 '23 at 11:54

1 Answers1

0

you can modify your /etc/krb5.conf file and remove this line from config:

renew_lifetime = 7d

I try it worked, I hope this will help you!

Mostafa Ghadimi
  • 5,883
  • 8
  • 64
  • 102
姜泰河
  • 9
  • 1