Jsch 基于Kerberos认证的登录代码
本篇博客创作前,学习了其它人写的博客,里面包含了在Linux系统中的安装和简单认证(ssh免密登录);
博客链接:Kerberos 基于centos7的ssh认证登陆
安装和普通Java代码认证
下面是jsch通过kerberos认证的代码
引入maven坐标
<!-- https://mvnrepository.com/artifact/com.jcraft/jsch -->
<dependency>
<groupId>com.jcraft</groupId>
<artifactId>jsch</artifactId>
<version>0.1.55</version>
</dependency>
本次代码演示是在Linux服务器centos7中进行的,windows不可以哦;我直接把我项目中controller类的方法摘取过来了,需要根据你们自己场景稍作修改
@RequestMapping("/run")
public String connect() {
// 你期望连接的服务器主机名
String host = "wz128";
// 服务器的用户名,需要在kerberos中添加principal
String user = "morant";
String command = "ls -l /tmp";
JSch jsch = new JSch();
System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
System.setProperty("java.security.auth.login.config", "/etc/jaas.conf");
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
//to enable kerberos debugging mode
System.setProperty("sun.security.krb5.debug", "true");
// 下面2个配置和你的krb5.conf文件对应
System.setProperty("java.security.krb5.realm", "EXAMPLE.COM");
System.setProperty("java.security.krb5.kdc", "wz128");
try {
Session session = jsch.getSession(user, host, 22);
Properties config = new java.util.Properties();
config.put("StrictHostKeyChecking", "no");
config.put("PreferredAuthentications", "gssapi-with-mic");
session.setConfig(config);
session.connect(20000);
Channel channel = session.openChannel("exec");
BufferedReader bufferReader = new BufferedReader(new InputStreamReader(channel.getInputStream()));
((ChannelExec) channel).setCommand(command);
channel.connect();
StringBuilder stringBuilder = new StringBuilder();
for (String string = bufferReader.readLine(); string != null; string = bufferReader.readLine()) {
stringBuilder.append(string);
}
log.info("command execute result: {}", stringBuilder.toString());
channel.disconnect();
session.disconnect();
return "done!";
} catch (JSchException | IOException e) {
e.printStackTrace();
}
return "failed";
}
/etc/krb5.conf配置文件
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
#renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = wz128
admin_server = wz128
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
这个文件里的 renew_lifetime = 7d 坑了我很久,注释掉就跑通了,我暂时也没有深究为什么,有兴趣的童鞋可以查阅一下资料,过来评论;
jaas.conf
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="morant@EXAMPLE.COM"
useKeyTab=true
keyTab="/etc/krb5.keytab"
storeKey=true;
};
代码跑通以后,日志里会打印类似这种东东
时间关系,暂时就到这里,有问题的朋友可以评论留言😊