Search code examples
javaapache-vfs

Apache VFS - setPreferredAuthentications - What is the possible values for

I was looking into using VFS for sftp a file in Java. In the following documentation for setPreferredAuthentications it mentions preferredAuthentications - The authentication order - What are the possible values? Was unable to find an answer on-line

Solution

  • The setPreferredAuthentications is equivalent to SSH config option PreferredAuthentications, it specifies the order in which the client should try authentication methods.

    Possible values are list of ssh authentication methods:

    
SftpFileSystemConfigBuilder.getInstance()
    .setPreferredAuthentications(opts,"gssapi-with-mic,hostbased,publickey");

//or
SftpFileSystemConfigBuilder.getInstance()
    .setPreferredAuthentications(opts,"password,keyboard-interactive");

    OpenSSH perspective:

    As detailed in OpenSSH Manual:

    The methods available for authentication are: GSSAPI-based authentication, host-based authentication, public key authentication, challenge-response authentication, and password authentication. Authentication methods are tried in the order specified above, though PreferredAuthentications can be used to change the default order.

    This allows a client to prefer one method (e.g. keyboard-interactive) over another method (e.g. password).

    For example : gssapi-with-mic,hostbased,publickey,keyboard-interactive,password

    The available authentication methods of OpenSSH are:

    • gssapi-with-mic
    • hostbased
    • keyboard-interactive
    • none (used for access to password-less accounts when Cm PermitEmptyPassword is enabled)
    • password
    • publickey

    Apache VSF perspective:

    The Apache VFS project uses Jsch library as an underlayer sftp provider, you can find the detailed config options of jsch in its api doc here.

    User Authentication methods (UserAuth)

    Here the user sends a list of methods, and we have a list of methods in the option PreferredAuthentications (in preference order). We take the first of our methods which is supported by the server, get the userauth.method variable to load the implementing class, and try to authenticate. This will repeat until we are authenticated or no more methods left.

    The following ones are built in:

    userauth.none mainly for getting the list of methods the server supports. userauth.password usual password authentication.

    userauth.keyboard-interactive Using the generic message exchange authentication mechanism, as defined in RFC 4256.

    userauth.publickey public key authentication, using an Identity.

    userauth.gssapi-with-mic Using the GSS-API (see below) as defined in RFC 4462, section 3. For the GSS-API mechanism we need an implementation of GSSContext to refer to, which will be chosen by the configuration option gssapi-with-mic.method, the method being chosen from a list given by the server. For now, we (hardcoded) only support the krb5 method, resulting in:

    gssapi-with-mic.krb5 Kerberos 5 authentication.