Gitblit devel
parent: 9731bd47 | patch | commit | ignore whitespace
James Moger
2015-05-21 bcb1beeadeef4745dd204ea0626aa95433612c56 
Merged #247 "Add Kerberos5/GSS authentication to ssh"
5 files modified
91 ■■■■■ changed files
src/main/distrib/data/defaults.properties 22 ●●●●● patch | view | raw | blame | history
src/main/java/com/gitblit/transport/ssh/SshDaemon.java 58 ●●●●● patch | view | raw | blame | history
src/test/config/test-gitblit.properties 2 ●●●●● patch | view | raw | blame | history
src/test/java/com/gitblit/tests/JschConfigTestSessionFactory.java 1 ●●●● patch | view | raw | blame | history
src/test/java/com/gitblit/tests/SshUnitTest.java 8 ●●●●● patch | view | raw | blame | history 
 src/main/distrib/data/defaults.properties


@@ -126,6 +126,28 @@


# SINCE 1.5.0


git.sshKeysFolder= ${baseFolder}/ssh




# Use kerberos5 (GSS) authentication


#


# SINCE 1.7.0


git.sshWithKrb5 = "false"




# The path to a kerberos 5 keytab.


#


# SINCE 1.7.0


git.sshKrb5Keytab = ""




# The service principal name to be used for Kerberos5.  The default is host/hostname.


#


# SINCE 1.7.0


git.sshKrb5ServicePrincipalName = ""




# A comma-separated list of authentication method. They will be tried in


# the given order. Possible values are 


# "gssapi-with-mic", "publickey", "keyboard-interactive" or "password"


#


# SINCE 1.7.0


git.sshAuthenticatorsOrder = "password,keyboard-interactive,publickey"




# SSH backend NIO2|MINA.


#


# The Apache Mina project recommends using the NIO2 backend.




 src/main/java/com/gitblit/transport/ssh/SshDaemon.java


@@ -23,15 +23,25 @@


import java.security.KeyPair;


import java.security.KeyPairGenerator;


import java.text.MessageFormat;


import java.util.ArrayList;


import java.util.List;


import java.util.Locale;


import java.util.concurrent.atomic.AtomicBoolean;




import org.apache.sshd.SshServer;


import org.apache.sshd.common.NamedFactory;


import org.apache.sshd.common.io.IoServiceFactoryFactory;


import org.apache.sshd.common.io.mina.MinaServiceFactoryFactory;


import org.apache.sshd.common.io.nio2.Nio2ServiceFactoryFactory;


import org.apache.sshd.common.keyprovider.FileKeyPairProvider;


import org.apache.sshd.common.util.SecurityUtils;


import org.apache.sshd.server.auth.CachingPublicKeyAuthenticator;


import org.apache.sshd.server.UserAuth;


import org.apache.sshd.server.auth.UserAuthKeyboardInteractive;


import org.apache.sshd.server.auth.UserAuthPassword;


import org.apache.sshd.server.auth.UserAuthPublicKey;


import org.apache.sshd.server.auth.gss.GSSAuthenticator;


import org.apache.sshd.server.auth.gss.UserAuthGSS;


import org.bouncycastle.openssl.PEMWriter;


import org.eclipse.jgit.internal.JGitText;


import org.slf4j.Logger;


@@ -120,7 +130,49 @@


        } else {


            addr = new InetSocketAddress(bindInterface, port);


        }




		


        //Will do GSS ?


        GSSAuthenticator gssAuthenticator = null;


        if(settings.getBoolean(Keys.git.sshWithKrb5, false)) {


            gssAuthenticator = new GSSAuthenticator();


            String keytabString = settings.getString(Keys.git.sshKrb5Keytab,


                    "");


            if(! keytabString.isEmpty()) {


                gssAuthenticator.setKeytabFile(keytabString);


            }


            String servicePrincipalName = settings.getString(Keys.git.sshKrb5ServicePrincipalName,


                    "");


            if(! servicePrincipalName.isEmpty()) {


                gssAuthenticator.setServicePrincipalName(servicePrincipalName);


            }			


        }


		


        //Sort the authenticators for sshd


        List<NamedFactory<UserAuth>> userAuthFactories = new ArrayList<>();


        String sshAuthenticatorsOrderString = settings.getString(Keys.git.sshAuthenticatorsOrder,


                "password,keyboard-interactive,publickey");


        for(String authenticator: sshAuthenticatorsOrderString.split(",")) {


            String authenticatorName = authenticator.trim().toLowerCase(Locale.US);


            switch (authenticatorName) {


            case "gssapi-with-mic":


                if(gssAuthenticator != null) {


                    userAuthFactories.add(new UserAuthGSS.Factory());					


                }


                break;


            case "publickey":


                userAuthFactories.add(new UserAuthPublicKey.Factory());


                break;


            case "password":


                userAuthFactories.add(new UserAuthPassword.Factory());


                break;


            case "keyboard-interactive":


                userAuthFactories.add(new UserAuthKeyboardInteractive.Factory());


                break;


            default:


                log.error("Unknown ssh authenticator: '{}'", authenticatorName);


            }


        }


		


        // Create the SSH server


        sshd = SshServer.setUpDefaultServer();


        sshd.setPort(addr.getPort());


@@ -128,6 +180,10 @@


        sshd.setKeyPairProvider(hostKeyPairProvider);


        sshd.setPublickeyAuthenticator(new CachingPublicKeyAuthenticator(keyAuthenticator));


        sshd.setPasswordAuthenticator(new UsernamePasswordAuthenticator(gitblit));


        if(gssAuthenticator != null) {


            sshd.setGSSAuthenticator(gssAuthenticator);


        }


        sshd.setUserAuthFactories(userAuthFactories);


        sshd.setSessionFactory(new SshServerSessionFactory());


        sshd.setFileSystemFactory(new DisabledFilesystemFactory());


        sshd.setTcpipForwardingFilter(new NonForwardingFilter());




 src/test/config/test-gitblit.properties


@@ -9,6 +9,8 @@


git.daemonPort = 8300


git.sshPort = 29418


git.sshKeysManager = com.gitblit.transport.ssh.MemoryKeyManager


git.sshWithKrb5 = true


git.sshAuthenticatorsOrder = password, publickey,gssapi-with-mic,invalid


groovy.scriptsFolder = src/main/distrib/data/groovy


groovy.preReceiveScripts = blockpush


groovy.postReceiveScripts = sendmail




 src/test/java/com/gitblit/tests/JschConfigTestSessionFactory.java


@@ -21,6 +21,7 @@


    @Override



    protected void configure(OpenSshConfig.Host host, Session session) {



        session.setConfig("StrictHostKeyChecking", "no");



        session.setConfig("PreferredAuthentications", "password");



    }







    @Override





 src/test/java/com/gitblit/tests/SshUnitTest.java


@@ -24,13 +24,18 @@


import java.security.KeyPair;


import java.security.KeyPairGenerator;


import java.security.PublicKey;


import java.util.ArrayList;


import java.util.List;


import java.util.concurrent.atomic.AtomicBoolean;




import org.apache.sshd.ClientChannel;


import org.apache.sshd.ClientSession;


import org.apache.sshd.SshClient;


import org.apache.sshd.client.ServerKeyVerifier;


import org.apache.sshd.common.NamedFactory;


import org.apache.sshd.common.util.SecurityUtils;


import org.apache.sshd.client.UserAuth;


import org.apache.sshd.client.auth.UserAuthPublicKey;


import org.junit.After;


import org.junit.AfterClass;


import org.junit.Before;


@@ -102,6 +107,9 @@


                return true;


            }


        });


        List<NamedFactory<UserAuth>> userAuthFactories = new ArrayList<>();


        userAuthFactories.add(new UserAuthPublicKey.Factory());


        client.setUserAuthFactories(userAuthFactories);


        client.start();


        return client;


    }