org.apache.sshd.server.auth.gss
Class GSSAuthenticator

java.lang.Object
  extended by org.apache.sshd.server.auth.gss.GSSAuthenticator

public class GSSAuthenticator
extends Object

Class providing basic GSS authentication services. Can be used as-is, but is often extended to provide environment specific implementations.

Author:
Richard Evans

Constructor Summary
GSSAuthenticator()
           
 
Method Summary
 GSSCredential getGSSCredential(GSSManager mgr)
          Overridable method to get GSS accept credential suitable for the current environment.
 GSSManager getGSSManager()
          Overridable method to get GSS manager suitable for current environment.
 void setKeytabFile(String keytabFile)
          Set the location of the Kerberos keytab.
 void setServicePrincipalName(String servicePrincipalName)
          Set the service principal name to be used.
 boolean validateIdentity(ServerSession session, String identity)
          Validate the source identity obtained from the context after negotiation is complete.
 boolean validateInitialUser(ServerSession session, String user)
          Validate the user name passed in the initial SSH_MSG_USERAUTH_REQUEST message.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

GSSAuthenticator

public GSSAuthenticator()
Method Detail

getGSSManager

public GSSManager getGSSManager()
Overridable method to get GSS manager suitable for current environment.

Returns:
A new manager

getGSSCredential

public GSSCredential getGSSCredential(GSSManager mgr)
                               throws UnknownHostException,
                                      LoginException,
                                      GSSException
Overridable method to get GSS accept credential suitable for the current environment. The default implementation uses a Kerberos key table.

Parameters:
mgr - The GSS manager
Returns:
The credential; if the result is null gssapi authentication fails immediately
Throws:
UnknownHostException - If the local host name could not be determined
LoginException - If the subject could not be found
GSSException - If the credential could not be obtained

validateInitialUser

public boolean validateInitialUser(ServerSession session,
                                   String user)
Validate the user name passed in the initial SSH_MSG_USERAUTH_REQUEST message. This is sort of mandated by RFC 4462, but it may be more useful to wait for the GSS negotiation to complete. The default implementation here always succeeds.

Parameters:
session - The current session
user - The user name from the initial request
Returns:
true if the user is valid, false if invalid

validateIdentity

public boolean validateIdentity(ServerSession session,
                                String identity)
Validate the source identity obtained from the context after negotiation is complete. The default implementation here always succeeds.

Parameters:
session - The current session
identity - The identity from the GSS context
Returns:
true if the identity is valid, false if invalid

setServicePrincipalName

public void setServicePrincipalName(String servicePrincipalName)
Set the service principal name to be used. The default is host/hostname.

Parameters:
servicePrincipalName - The principal name

setKeytabFile

public void setKeytabFile(String keytabFile)
Set the location of the Kerberos keytab. The default is defined by the JRE.

Parameters:
keytabFile - The location of the keytab


Copyright © 2008-2012 Apache Software Foundation. All Rights Reserved.