Search code examples
javasshsingle-sign-onkerberosgssapi

Using TGT acquired in Java for SSH/Other applications

Currently, I am able to authenticate users in a java application by using JAAS and grabbing the ticket-granting-ticket that is sent from a Windows server running Active Directory. This is easily done with the Krb5LoginModule in java.

Now I would like to run an ssh command from my java application and use my TGT to enable ssh not to ask for password. I have seen some tutorials (OpenSSH & Kerberos) for getting ssh to work with kerberos, but they use kinit to get their TGT and the ticket is stored in /tmp/krbcc_XXX. Then after the ticket is generated they can ssh freely.

I could write the TGT to disk and store it in /tmp/krbcc_XXX or I could run the ssh command in a PrivilegedAction, however I don't know if either will work. Is there an accepted way to do this?

Basically, I would like to call something like this and have it not ask me for a password:

// Create Command.
List<String> arguments = new ArrayList<String>();
arguments.addAll(Arrays.asList("ssh", "user@host", "xterm"));

// Run SSH command.
ProcessBuilder process = new ProcessBuilder(arguments).start();
Solution

  • You have to clarify first who will initiate the SSH request. Java or the underlying Linux/Unix system. If you go with the latter, this is not cross-platform and not the Java way. You should use a Java SSH impl which supports Keberos. Everything should go smooth. JSch is a pure Java impl with gss-api-with-mic support.

    On the other hand, you could try to get the private credentials from the Subject created with the LoginContext and write it to the default CC file location.. After you have done that, try klist. If it reads the cc file, you're done. If this does not work, you could examine Sun's CC reader code and reverse it. Probably, the sun.security.krb5.internal.ccache.FileCredentialsCache is the interesting one along with its update and save methods. The task is to have the private subject credentials be compatible with the desired class sun.security.krb5.internal.ccache.Credentials. Note: This solution is completely Sun-dependent. I would go for the first approach or you rather run kinit first.