Package org.apache.sshd.server.auth.gss
Class GSSAuthenticator
java.lang.Object
org.apache.sshd.server.auth.gss.GSSAuthenticator
Class providing basic GSS authentication services. Can be used as-is, but is often extended to provide environment
specific implementations.
-
Field Summary
Fields -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionOverridable method to get GSS accept credential suitable for the current environment.Overridable method to get GSS manager suitable for current environment.voidsetKeytabFile(String keytabFile) Set the location of the Kerberos keytab.voidsetServicePrincipalName(String servicePrincipalName) Set the service principal name to be used.booleanvalidateIdentity(ServerSession session, String identity) Validate the source identity obtained from the context after negotiation is complete.booleanvalidateInitialUser(ServerSession session, String user) Validate the user name passed in the initial SSH_MSG_USERAUTH_REQUEST message.
-
Field Details
-
servicePrincipalName
-
keytabFile
-
-
Constructor Details
-
GSSAuthenticator
public GSSAuthenticator()
-
-
Method Details
-
getGSSManager
Overridable method to get GSS manager suitable for current environment.- Returns:
- A new manager
-
getGSSCredential
public GSSCredential getGSSCredential(GSSManager mgr) throws UnknownHostException, LoginException, GSSException Overridable method to get GSS accept credential suitable for the current environment. The default implementation uses a Kerberos key table.- Parameters:
mgr- The GSS manager- Returns:
- The credential; if the result is
nullgssapi authentication fails immediately - Throws:
UnknownHostException- If the local host name could not be determinedLoginException- If the subject could not be foundGSSException- If the credential could not be obtained
-
validateInitialUser
Validate the user name passed in the initial SSH_MSG_USERAUTH_REQUEST message. This is sort of mandated by RFC 4462, but it may be more useful to wait for the GSS negotiation to complete. The default implementation here always succeeds.- Parameters:
session- The current sessionuser- The user name from the initial request- Returns:
trueif the user is valid,falseif invalid
-
validateIdentity
Validate the source identity obtained from the context after negotiation is complete. The default implementation here always succeeds.- Parameters:
session- The current sessionidentity- The identity from the GSS context- Returns:
trueif the identity is valid,falseif invalid
-
setServicePrincipalName
Set the service principal name to be used. The default is host/hostname.- Parameters:
servicePrincipalName- The principal name
-
setKeytabFile
Set the location of the Kerberos keytab. The default is defined by the JRE.- Parameters:
keytabFile- The location of the keytab
-