JSch無法通過Kerberos密鑰表文件連接

我構建了一個Java應用程序，它通過ssh運行一個命令。在我通過用戶名和密碼驗證的第一次嘗試中，一切正常。JSch無法通過Kerberos密鑰表文件連接

現在我想使用Kerberos keytab文件進行身份驗證，但這會造成問題！

這裏我配置了幾句話：

KDC服務器：my-server.de
領域名稱：MYREALM.DE
密鑰表用戶名：keytabuser
KDC =服務器：運行在CentOS 7
我客戶端：Windows 8.1 (x64)與所有默認配置，Kerberos for Windows安裝
我在客戶端的用戶名：Daniel
kinit -kt ...似乎做工精細，所以密鑰表文件也應該沒問題

什麼我到目前爲止是這樣的代碼片段：

public static void main(String[] args) { 
     String host = "my-server.de"; 
     String user = "keytabuser"; 
     String command = "ls -l"; 

     JSch jsch = new JSch(); 
     jsch.setLogger(new MyLogger()); 

     System.setProperty("java.security.krb5.conf", "C:\\ProgramData\\MIT\\Kerberos5\\krb5.ini"); 
     System.setProperty("java.security.auth.login.config", "C:\\ProgramData\\MIT\\Kerberos5\\jaas.conf"); 
     System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); 

     //to enable kerberos debugging mode 
     System.setProperty("sun.security.krb5.debug", "true"); 

     try { 
      Session session = jsch.getSession(user, host, 22); 
      Properties config = new java.util.Properties(); 
      config.put("StrictHostKeyChecking", "no"); 
      config.put("PreferredAuthentications", "gssapi-with-mic"); 

      session.setConfig(config); 
      session.connect(20000); 

      Channel channel = session.openChannel("exec"); 
      ... // Do the commands 

      channel.disconnect(); 
      session.disconnect(); 
      System.out.println("DONE"); 

     } catch (JSchException e) { 
      e.printStackTrace(); 
     } catch (IOException e) { 
      e.printStackTrace(); 
     } 
}

這是我的jaas.conf文件：

com.sun.security.jgss.krb5.initiate { 
    com.sun.security.auth.module.Krb5LoginModule required 
    doNotPrompt=true 
    principal="[email protected]" 
    useKeyTab=true 
    keyTab="C:\ProgramData\MIT\Kerberos5\keytabuser.keytab" 
    storeKey=true; 
};

而這裏我的krb5.ini文件：

[libdefaults] 
    default_realm = MYREALM.DE 

[realms] 
    MYREALM.DE = { 
    admin_server = my-server.de 
    kdc = my-server.de 
    }

當我運行該應用程序我得到以下輸出：

更新：新的後依賴jsch 0.1.54

INFO: Connecting to my-server.de port 22 
INFO: Connection established 
INFO: Remote version string: SSH-2.0-OpenSSH_6.6.1 
INFO: Local version string: SSH-2.0-JSCH-0.1.54 
INFO: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256 
INFO: aes256-ctr is not available. 
INFO: aes192-ctr is not available. 
INFO: aes256-cbc is not available. 
INFO: aes192-cbc is not available. 
INFO: CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 
INFO: CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 
INFO: SSH_MSG_KEXINIT sent 
INFO: SSH_MSG_KEXINIT received 
INFO: kex: server: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 
INFO: kex: server: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 
INFO: kex: server: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] 
INFO: kex: server: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] 
INFO: kex: server: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 
INFO: kex: server: h[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 
INFO: kex: server: none,[email protected] 
INFO: kex: server: none,[email protected] 
INFO: kex: server: 
INFO: kex: server: 
INFO: kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 
INFO: kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc 
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc 
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96 
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96 
INFO: kex: client: none 
INFO: kex: client: none 
INFO: kex: client: 
INFO: kex: client: 
INFO: kex: server->client aes128-ctr hmac-md5 none 
INFO: kex: client->server aes128-ctr hmac-md5 none 
INFO: SSH_MSG_KEX_ECDH_INIT sent 
INFO: expecting SSH_MSG_KEX_ECDH_REPLY 
INFO: ssh_rsa_verify: signature true 
WARN: Permanently added 'my-server.de' (RSA) to the list of known hosts. 
INFO: SSH_MSG_NEWKEYS sent 
INFO: SSH_MSG_NEWKEYS received 
INFO: SSH_MSG_SERVICE_REQUEST sent 
INFO: SSH_MSG_SERVICE_ACCEPT received 
INFO: Authentications that can continue: gssapi-with-mic 
INFO: Next authentication method: gssapi-with-mic 
INFO: Disconnecting from my-server.de port 22 
com.jcraft.jsch.JSchException: Auth fail 
    at com.jcraft.jsch.Session.connect(Session.java:519) 
    at kerberos.JschKerberos.main(JschKerberos.java:49)

新的控制檯輸出是不是有什麼不正確與我的配置？本地（用戶，域名等）和遠程用戶之間是否存在一些條件？

來源

2017-01-20 D. Müller

我的2美分：要獲取所有調試跟蹤，請在命令行中添加'-Dsun.security.krb5.debug = true -Djava.security.debug = gssloginconfig，configfile，configparser，logincontext'，以確保你不會錯過任何初始化setp –

還設置'useTicketCache = false'和'storeKey = false'，以確保你不會受到來自緩存的副作用。由於您將密鑰表提供給JAAS，因此您可以將您的故障單保留爲您的Java過程。 –

好的，我會稍後再試，謝謝你的幫助。 jaas.conf和krb5.ini都可以，或者我錯過了什麼？ –

我終於找到了解決方案！這是sshd服務缺失的服務密鑰表！某些服務主體不是由Kerberos服務器自動生成的。所以這必須由kadmin手動完成，因爲sshd服務也必須對Kerberos進行身份驗證！這由host/[email protected]委託人完成。

重要提示：「主機」是一個固定的字符串（！），我總是用我的OpenSSH服務器機器的主機名代替它......因此，只有「fqdn」和「REALM.COM」必須替換通過你的數據！

的（德國）更多信息，請參閱本：http://www.pks.mpg.de/~mueller/docs/suse10.3/opensuse-manual_de/manual/sec.kerbadmin.hostprinc.html
這也顯示了步驟（英文）：http://www.microhowto.info/howto/create_a_host_principal_using_mit_kerberos.html

所以這些都是必要的步驟，我得到了應用程序的工作：

集GSSAPIAuthentication yes在OpenSSH服務器的/etc/ssh/sshd_conf配置文件
設置Host * [...] GSSAPIAuthentication yes在SSH客戶端的/etc/ssh/ssh_conf配置文件
檢查客戶端進行正確的設置在jaas.conf和krb5.conf（或.ini）文件（見上面的問題部分中的代碼塊）
在Kerberos服務器開放kadmin.local和類型ktadd host/my-server.de
可選：添加用戶主體（如果不是還不存在）：ktadd keytabuser
做一個kinit keytabuser（帶密碼）或kinit -kt /path/to/file.keytab keytabuser（正常的Kerberos命令）
檢查，如果用戶通過控制檯ssh [email protected]
你應該緩存的票可以登錄直接通過klist
運行應用程序或ssh認證！

當然，用戶keytabuser必須是ssh-server機器上的用戶！

來源

2017-01-24 14:44:30

杜。因此，您嘗試使用SSH進行Kerberos身份驗證，而無需首先將全局* *的Linux服務器身份驗證綁定到Kerberos（通過'sssd'和默認的'/ etc/krb5.keytab'）。並且您不知道Kerberos SPN（服務主體名稱）語法。看起來你已經得到了一切結果，恭喜... –

JSch無法通過Kerberos密鑰表文件連接

回答

相關問題