/// <exception cref="System.Exception"/> public string Call() { GSSManager gssManager = GSSManager.GetInstance(); GSSContext gssContext = null; try { string servicePrincipal = KerberosTestUtils.GetServerPrincipal(); Oid oid = KerberosUtil.GetOidInstance("NT_GSS_KRB5_PRINCIPAL"); GSSName serviceName = gssManager.CreateName(servicePrincipal, oid); oid = KerberosUtil.GetOidInstance("GSS_KRB5_MECH_OID"); gssContext = gssManager.CreateContext(serviceName, oid, null, GSSContext. DefaultLifetime); gssContext.RequestCredDeleg(true); gssContext.RequestMutualAuth(true); byte[] inToken = new byte[0]; byte[] outToken = gssContext.InitSecContext(inToken, 0, inToken.Length); Base64 base64 = new Base64(0); return(base64.EncodeToString(outToken)); } finally { if (gssContext != null) { gssContext.Dispose(); } } }
public UnwrapPrivilegedAction(GSSContext context, byte [] buffer, int start, int len, MessageProp messageProperties) { _buffer = buffer; _start = start; _len = len; _context = context; _messageProperties = messageProperties; }
public SecurityContext(string userName, string machineName, IPEndPoint clientEndPoint, GSSContext authenticationContext, object accessToken) { m_userName = userName; m_machineName = machineName; m_clientEndPoint = clientEndPoint; AuthenticationContext = authenticationContext; AccessToken = accessToken; }
public UnwrapPrivilegedAction(GSSContext context, byte [] buffer, int start, int len, MessageProp messageProperties) { _buffer = buffer; _start = start; _len = len; _context = context; _messageProperties = messageProperties; }
/// <exception cref="System.Exception"/> public AuthenticationToken Run() { AuthenticationToken token = null; GSSContext gssContext = null; GSSCredential gssCreds = null; try { gssCreds = this._enclosing.gssManager.CreateCredential(this._enclosing.gssManager .CreateName(KerberosUtil.GetServicePrincipal("HTTP", serverName), KerberosUtil.GetOidInstance ("NT_GSS_KRB5_PRINCIPAL")), GSSCredential.IndefiniteLifetime, new Oid[] { KerberosUtil .GetOidInstance("GSS_SPNEGO_MECH_OID"), KerberosUtil.GetOidInstance("GSS_KRB5_MECH_OID" ) }, GSSCredential.AcceptOnly); gssContext = this._enclosing.gssManager.CreateContext(gssCreds); byte[] serverToken = gssContext.AcceptSecContext(clientToken, 0, clientToken.Length ); if (serverToken != null && serverToken.Length > 0) { string authenticate = base64.EncodeToString(serverToken); response.SetHeader(KerberosAuthenticator.WwwAuthenticate, KerberosAuthenticator.Negotiate + " " + authenticate); } if (!gssContext.IsEstablished()) { response.SetStatus(HttpServletResponse.ScUnauthorized); KerberosAuthenticationHandler.Log.Trace("SPNEGO in progress"); } else { string clientPrincipal = gssContext.GetSrcName().ToString(); KerberosName kerberosName = new KerberosName(clientPrincipal); string userName = kerberosName.GetShortName(); token = new AuthenticationToken(userName, clientPrincipal, this._enclosing.GetType ()); response.SetStatus(HttpServletResponse.ScOk); KerberosAuthenticationHandler.Log.Trace("SPNEGO completed for principal [{}]", clientPrincipal ); } } finally { if (gssContext != null) { gssContext.Dispose(); } if (gssCreds != null) { gssCreds.Dispose(); } } return(token); }
public Krb5Helper(string name, string clientName, Subject subject, AuthenticationTypes authenticationTypes, string mech) { _encryption = (authenticationTypes & AuthenticationTypes.Sealing) != 0; _signing = (authenticationTypes & AuthenticationTypes.Signing) != 0; _delegation = (authenticationTypes & AuthenticationTypes.Delegation) != 0; CreateContextPrivilegedAction action = new CreateContextPrivilegedAction (name, clientName, mech,_encryption,_signing,_delegation); try { _context = (GSSContext) Subject.doAs (subject,action); } catch (PrivilegedActionException e) { throw new LdapException ("Problem performing token exchange with the server",LdapException.OTHER,"",e.getCause()); } }
public Krb5Helper(string name, string clientName, Subject subject, AuthenticationTypes authenticationTypes, string mech) { _encryption = (authenticationTypes & AuthenticationTypes.Sealing) != 0; _signing = (authenticationTypes & AuthenticationTypes.Signing) != 0; _delegation = (authenticationTypes & AuthenticationTypes.Delegation) != 0; CreateContextPrivilegedAction action = new CreateContextPrivilegedAction(name, clientName, mech, _encryption, _signing, _delegation); try { _context = (GSSContext)Subject.doAs(subject, action); } catch (PrivilegedActionException e) { throw new LdapException("Problem performing token exchange with the server", LdapException.OTHER, "", e.getCause()); } }
/// <exception cref="System.Exception"/> public Void Run() { GSSContext gssContext = null; try { GSSManager gssManager = GSSManager.GetInstance(); string servicePrincipal = KerberosUtil.GetServicePrincipal("HTTP", this._enclosing .url.GetHost()); Oid oid = KerberosUtil.GetOidInstance("NT_GSS_KRB5_PRINCIPAL"); GSSName serviceName = gssManager.CreateName(servicePrincipal, oid); oid = KerberosUtil.GetOidInstance("GSS_KRB5_MECH_OID"); gssContext = gssManager.CreateContext(serviceName, oid, null, GSSContext. DefaultLifetime); gssContext.RequestCredDeleg(true); gssContext.RequestMutualAuth(true); byte[] inToken = new byte[0]; byte[] outToken; bool established = false; while (!established) { outToken = gssContext.InitSecContext(inToken, 0, inToken.Length); if (outToken != null) { this._enclosing.SendToken(outToken); } if (!gssContext.IsEstablished()) { inToken = this._enclosing.ReadToken(); } else { established = true; } } } finally { if (gssContext != null) { gssContext.Dispose(); gssContext = null; } } return(null); }
public object run() { try { Oid krb5Oid = new Oid(_mech); GSSManager manager = GSSManager.getInstance(); GSSName clientName = manager.createName(_clientName, GSSName__Finals.NT_USER_NAME); GSSCredential clientCreds = manager.createCredential(clientName, GSSContext__Finals.INDEFINITE_LIFETIME, krb5Oid, GSSCredential__Finals.INITIATE_ONLY); // try { GSSName serverName = manager.createName(_name, GSSName__Finals.NT_HOSTBASED_SERVICE, krb5Oid); GSSContext context = manager.createContext(serverName, krb5Oid, clientCreds, GSSContext__Finals.INDEFINITE_LIFETIME); context.requestMutualAuth(true); context.requestConf(_encryption); if (!_encryption || _signing) { context.requestInteg(!_encryption || _signing); } context.requestCredDeleg(_delegation); return(context); // } // finally { // // Calling this throws GSSException: Operation unavailable... // clientCreds.dispose(); // } } catch (GSSException e) { throw new PrivilegedActionException(e); } }
public ExchangeTokenPrivilegedAction(GSSContext context, sbyte [] token) { _token = token; _context = context; }
public ExchangeTokenPrivilegedAction(GSSContext context, sbyte [] token) { _token = token; _context = context; }
public override bool start(Session session) { base.start(session); byte[] _username = Util.str2byte(username); packet.reset(); // byte SSH_MSG_USERAUTH_REQUEST(50) // string user name(in ISO-10646 UTF-8 encoding) // string service name(in US-ASCII) // string "gssapi"(US-ASCII) // uint32 n, the number of OIDs client supports // string[n] mechanism OIDS buf.putByte((byte)SSH_MSG_USERAUTH_REQUEST); buf.putString(_username); buf.putString("ssh-connection".getBytes()); buf.putString("gssapi-with-mic".getBytes()); buf.putInt(supported_oid.Length); for (int i = 0; i < supported_oid.Length; i++) { buf.putString(supported_oid.getRow(i)); } session.write(packet); string method = null; int command; while (true) { buf = session.Read(buf); command = buf.getCommand() & 0xff; if (command == SSH_MSG_USERAUTH_FAILURE) { return(false); } if (command == SSH_MSG_USERAUTH_GSSAPI_RESPONSE) { buf.getInt(); buf.getByte(); buf.getByte(); byte[] message = buf.getString(); for (int i = 0; i < supported_oid.Length; i++) { if (Util.array_equals(message, supported_oid.getRow(i))) { method = supported_method[i]; break; } } if (method == null) { return(false); } break; // success } if (command == SSH_MSG_USERAUTH_BANNER) { buf.getInt(); buf.getByte(); buf.getByte(); byte[] _message = buf.getString(); byte[] lang = buf.getString(); string message = Util.byte2str(_message); if (userinfo != null) { userinfo.showMessage(message); } continue; } return(false); } GSSContext context = null; try { Type c = Type.GetType(session.getConfig(method)); context = (GSSContext)(c.newInstance()); } catch //(Exception e) { return(false); } try { context.create(username, session.host); } catch (JSchException) { return(false); } byte[] token = new byte[0]; while (!context.isEstablished()) { try { token = context.init(token, 0, token.Length); } catch (JSchException) { // TODO // ERRTOK should be sent? // byte SSH_MSG_USERAUTH_GSSAPI_ERRTOK // string error token return(false); } if (token != null) { packet.reset(); buf.putByte((byte)SSH_MSG_USERAUTH_GSSAPI_TOKEN); buf.putString(token); session.write(packet); } if (!context.isEstablished()) { buf = session.Read(buf); command = buf.getCommand() & 0xff; if (command == SSH_MSG_USERAUTH_GSSAPI_ERROR) { // uint32 major_status // uint32 minor_status // string message // string language tag buf = session.Read(buf); command = buf.getCommand() & 0xff; //return false; } else if (command == SSH_MSG_USERAUTH_GSSAPI_ERRTOK) { // string error token buf = session.Read(buf); command = buf.getCommand() & 0xff; //return false; } if (command == SSH_MSG_USERAUTH_FAILURE) { return(false); } buf.getInt(); buf.getByte(); buf.getByte(); token = buf.getString(); } } Buffer mbuf = new Buffer(); // string session identifier // byte SSH_MSG_USERAUTH_REQUEST // string user name // string service // string "gssapi-with-mic" mbuf.putString(session.getSessionId()); mbuf.putByte((byte)SSH_MSG_USERAUTH_REQUEST); mbuf.putString(_username); mbuf.putString("ssh-connection".getBytes()); mbuf.putString("gssapi-with-mic".getBytes()); byte[] mic = context.getMIC(mbuf.buffer, 0, mbuf.getLength()); if (mic == null) { return(false); } packet.reset(); buf.putByte((byte)SSH_MSG_USERAUTH_GSSAPI_MIC); buf.putString(mic); session.write(packet); context.dispose(); buf = session.Read(buf); command = buf.getCommand() & 0xff; if (command == SSH_MSG_USERAUTH_SUCCESS) { return(true); } else if (command == SSH_MSG_USERAUTH_FAILURE) { buf.getInt(); buf.getByte(); buf.getByte(); byte[] foo = buf.getString(); int partial_success = buf.getByte(); //Console.Error.WriteLine(Encoding.UTF8.GetString(foo)+ // " partial_success:"+(partial_success!=0)); if (partial_success != 0) { throw new JSchPartialAuthException(Encoding.UTF8.GetString(foo)); } } return(false); }