maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephen Connolly <stephen.alan.conno...@gmail.com>
Subject Re: Jsch issue with Java 7 and Kerberos enabled ssh servers (was Re: about the bug)
Date Fri, 08 May 2015 12:37:26 GMT
On 3 May 2015 at 08:50, Hervé BOUTEMY <herve.boutemy@free.fr> wrote:

> I had a few private email discussion with Deng: it seems he is facing a
> known
> issue with Java 7 + Kerberos enabled ssh servers + Jsch that was already
> faced
> by:
> - Ant: https://bz.apache.org/bugzilla/show_bug.cgi?id=53437
> - Mule: https://www.mulesoft.org/jira/browse/MULE-6864
> and probably others
>
>
> I think the workaround proposed by Jsch is interesting:
>   http://sourceforge.net/p/jsch/mailman/message/29359265/
> session.setConfig("PreferredAuthentications",
>                     "publickey,keyboard-interactive,password");
>
> any objection from people with more knowledge on the topic?
>

So the default order is:

gssapi-with-mic,publickey,keyboard-interactive,password

The gssapi-with-mic is the one that is triggering Kerberos.

I think the fix for
http://bugs.java.com/bugdatabase/view_bug.do?bug_id=4460771 caused the
change in behaviour.

If I understand the prioritisation:

* Assuming you have a valid Kerberos session and you are authenticating
against another server using the same Kerberos servers, you would want to
use Kerberos... this is why the default is to try Kerberos... but now the
JRE is doing some session manipulation or otherwise and as a result you get
prompted for the Kerberos details (which get ignored because the realm you
are connecting to is a different Kerberos realm)

* Next you want public key as that is stronger than passwords

* Next you want keyboard interactive as that lets the server do the really
annoying "please enter the 3rd, 7th, 1st and 8th characters of your
password" with the benefit of exposing less of your password... not that
any servers that I have seen do that... but you know in theory...

* Finally you want password... most servers disable this and force keyboard
interactive to ask for the password (as it is more secure IIUC)

So this change turns off the kerberos... frankly I cannot see much of a use
case for Maven using kerberos auth by default, so I say

+1


>
>
> Ideally, I'd like to create a unit-test, because that would really improve
> wagon-ssh maintainability, but I need to discover how to create an embedded
> Kerberos enabled SSH server: help needed on this :)
>

You could use MINA's SSH server to respond and claim it has gssapi-with-mic
support followed by public key and see if you get the gssapi-with-mic
attempted


>
>
> And finally, I found https://issues.apache.org/jira/browse/WAGON-355
> "Expose
> PreferredAuthentications property of jsch in some way", which seems highly
> desirable since it seems this is a really tricky part that would be useful
> to
> be configurable by end-users to fit their particular needs: any hint on
> how to
> provide this feature?
>

We should provide this... what about via the <server>'s configuration block?


>
>
> Notice: I created WAGON-439
> https://issues.apache.org/jira/browse/WAGON-439 to
> track the issue
>
> Regards,
>
> Hervé
>
> Le dimanche 3 mai 2015 07:23:07 Hervé Boutemy a écrit :
> > Hi Pengfei,
> >
> > This is an INFO message, not a failure: it explains why it is switching
> to
> > SSH key instead of agent.
> >
> > Regards,
> >
> > Hervé
> >
> > Le jeudi 30 avril 2015 12:01:49 Barrie Treloar a écrit :
> > > Please use the Maven users list for these questions.
> > >
> > > On 30 April 2015 at 11:47, Pengfei Deng <Pengfei.Deng@ericsson.com>
> wrote:
> > > >  Hi all ,
> > > >
> > > > When I try to use maven-release-plugin and use
> > > >
> > > > release:clean release:prepare release:perform I got error below:
> > > >
> > > >
> > > >
> > > > [INFO] [INFO] --- maven-site-plugin:3.4:deploy (default-deploy) @
> > > > site-deploy-test ---
> > > >
> > > > [INFO] Unable to connect to agent:
> > > > com.jcraft.jsch.agentproxy.AgentProxyException: connector is not
> > > > available:
> > > >
> > > > [image:
> > > >
> https://eis-jenkins-jcat.rnd.ki.sw.ericsson.se/static/09e72bc8/images/sp
> > > > in
> > > > ner.gif]>
> > > >
> > > > And the source code is like this:
> > > >    try
> > > >
> > > >         {
> > > >
> > > >             Connector connector = ConnectorFactory.getDefault().
> > > >
> > > > createConnector();
> > > >
> > > >             if ( connector != null )
> > > >
> > > >             {
> > > >
> > > >                 IdentityRepository repo = new
> RemoteIdentityRepository(
> > > >
> > > > connector );
> > > >
> > > >                 sch.setIdentityRepository( repo );
> > > >
> > > >             }
> > > >
> > > >         }
> > > >
> > > >         catch ( AgentProxyException e )
> > > >
> > > >         {
> > > >
> > > >             fireSessionDebug( "Unable to connect to agent: " +
> > > >             e.toString()
> > > >
> > > > );
> > > >
> > > >         }
> > > >
> > > > Could you please help?
> > > >
> > > >
> > > >
> > > > Best Regards,
> > > >
> > > > [image: Ericsson] <http://www.ericsson.com/>
> > > >
> > > > *PENGFEI DENG *
> > > > Software Design Engineer
> > > >
> > > > BURA DURA RCI CBC Tools JCAT and Config
> > > >
> > > >
> > > > *Ericsson*
> > > > No.5 WangJing East Road Chaoyang District Beijing
> > > > 100102, China
> > > > Phone +86 15652957083
> > > >
> > > > Office +86 10 84767195
> > > > Pengfei.Deng@ericsson.com
> > > > www.ericsson.com
> > > >
> > > >
> > > >
> > > > [image: http://www.ericsson.com/current_campaign]
> > > > <http://www.ericsson.com/current_campaign>
> > > >
> > > >
> > > >
> > > > Legal entity: CBC/XIT, registered office in RndP. This Communication
> is
> > > > Confidential. We only send and receive email on the basis of the
> terms
> > > > set
> > > > out at www.ericsson.com/email_disclaimer
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> > For additional commands, e-mail: users-help@maven.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message