/// <exception cref="System.Exception"/>
public string Call()
{
GSSManager gssManager = GSSManager.GetInstance();
GSSContext gssContext = null;
try
{
string servicePrincipal = KerberosTestUtils.GetServerPrincipal();
Oid oid = KerberosUtil.GetOidInstance("NT_GSS_KRB5_PRINCIPAL");
GSSName serviceName = gssManager.CreateName(servicePrincipal, oid);
oid = KerberosUtil.GetOidInstance("GSS_KRB5_MECH_OID");
gssContext = gssManager.CreateContext(serviceName, oid, null, GSSContext.
DefaultLifetime);
gssContext.RequestCredDeleg(true);
gssContext.RequestMutualAuth(true);
byte[] inToken = new byte[0];
byte[] outToken = gssContext.InitSecContext(inToken, 0, inToken.Length);
Base64 base64 = new Base64(0);
return(base64.EncodeToString(outToken));
}
finally
{
if (gssContext != null)
{
gssContext.Dispose();
}
}
}
public UnwrapPrivilegedAction(GSSContext context, byte [] buffer, int start, int len, MessageProp messageProperties)
{
_buffer = buffer;
_start = start;
_len = len;
_context = context;
_messageProperties = messageProperties;
}
public SecurityContext(string userName, string machineName, IPEndPoint clientEndPoint, GSSContext authenticationContext, object accessToken)
{
m_userName = userName;
m_machineName = machineName;
m_clientEndPoint = clientEndPoint;
AuthenticationContext = authenticationContext;
AccessToken = accessToken;
}
public UnwrapPrivilegedAction(GSSContext context, byte [] buffer, int start, int len, MessageProp messageProperties)
{
_buffer = buffer;
_start = start;
_len = len;
_context = context;
_messageProperties = messageProperties;
}
/// <exception cref="System.Exception"/>
public AuthenticationToken Run()
{
AuthenticationToken token = null;
GSSContext gssContext = null;
GSSCredential gssCreds = null;
try
{
gssCreds = this._enclosing.gssManager.CreateCredential(this._enclosing.gssManager
.CreateName(KerberosUtil.GetServicePrincipal("HTTP", serverName), KerberosUtil.GetOidInstance
("NT_GSS_KRB5_PRINCIPAL")), GSSCredential.IndefiniteLifetime, new Oid[] { KerberosUtil
.GetOidInstance("GSS_SPNEGO_MECH_OID"), KerberosUtil.GetOidInstance("GSS_KRB5_MECH_OID"
) }, GSSCredential.AcceptOnly);
gssContext = this._enclosing.gssManager.CreateContext(gssCreds);
byte[] serverToken = gssContext.AcceptSecContext(clientToken, 0, clientToken.Length
);
if (serverToken != null && serverToken.Length > 0)
{
string authenticate = base64.EncodeToString(serverToken);
response.SetHeader(KerberosAuthenticator.WwwAuthenticate, KerberosAuthenticator.Negotiate
+ " " + authenticate);
}
if (!gssContext.IsEstablished())
{
response.SetStatus(HttpServletResponse.ScUnauthorized);
KerberosAuthenticationHandler.Log.Trace("SPNEGO in progress");
}
else
{
string clientPrincipal = gssContext.GetSrcName().ToString();
KerberosName kerberosName = new KerberosName(clientPrincipal);
string userName = kerberosName.GetShortName();
token = new AuthenticationToken(userName, clientPrincipal, this._enclosing.GetType
());
response.SetStatus(HttpServletResponse.ScOk);
KerberosAuthenticationHandler.Log.Trace("SPNEGO completed for principal [{}]", clientPrincipal
);
}
}
finally
{
if (gssContext != null)
{
gssContext.Dispose();
}
if (gssCreds != null)
{
gssCreds.Dispose();
}
}
return(token);
}
public Krb5Helper(string name, string clientName, Subject subject, AuthenticationTypes authenticationTypes, string mech)
{
_encryption = (authenticationTypes & AuthenticationTypes.Sealing) != 0;
_signing = (authenticationTypes & AuthenticationTypes.Signing) != 0;
_delegation = (authenticationTypes & AuthenticationTypes.Delegation) != 0;
CreateContextPrivilegedAction action = new CreateContextPrivilegedAction (name, clientName, mech,_encryption,_signing,_delegation);
try {
_context = (GSSContext) Subject.doAs (subject,action);
}
catch (PrivilegedActionException e) {
throw new LdapException ("Problem performing token exchange with the server",LdapException.OTHER,"",e.getCause());
}
}
public Krb5Helper(string name, string clientName, Subject subject, AuthenticationTypes authenticationTypes, string mech)
{
_encryption = (authenticationTypes & AuthenticationTypes.Sealing) != 0;
_signing = (authenticationTypes & AuthenticationTypes.Signing) != 0;
_delegation = (authenticationTypes & AuthenticationTypes.Delegation) != 0;
CreateContextPrivilegedAction action = new CreateContextPrivilegedAction(name, clientName, mech, _encryption, _signing, _delegation);
try {
_context = (GSSContext)Subject.doAs(subject, action);
}
catch (PrivilegedActionException e) {
throw new LdapException("Problem performing token exchange with the server", LdapException.OTHER, "", e.getCause());
}
}
/// <exception cref="System.Exception"/>
public Void Run()
{
GSSContext gssContext = null;
try
{
GSSManager gssManager = GSSManager.GetInstance();
string servicePrincipal = KerberosUtil.GetServicePrincipal("HTTP", this._enclosing
.url.GetHost());
Oid oid = KerberosUtil.GetOidInstance("NT_GSS_KRB5_PRINCIPAL");
GSSName serviceName = gssManager.CreateName(servicePrincipal, oid);
oid = KerberosUtil.GetOidInstance("GSS_KRB5_MECH_OID");
gssContext = gssManager.CreateContext(serviceName, oid, null, GSSContext.
DefaultLifetime);
gssContext.RequestCredDeleg(true);
gssContext.RequestMutualAuth(true);
byte[] inToken = new byte[0];
byte[] outToken;
bool established = false;
while (!established)
{
outToken = gssContext.InitSecContext(inToken, 0, inToken.Length);
if (outToken != null)
{
this._enclosing.SendToken(outToken);
}
if (!gssContext.IsEstablished())
{
inToken = this._enclosing.ReadToken();
}
else
{
established = true;
}
}
}
finally
{
if (gssContext != null)
{
gssContext.Dispose();
gssContext = null;
}
}
return(null);
}
public object run()
{
try
{
Oid krb5Oid = new Oid(_mech);
GSSManager manager = GSSManager.getInstance();
GSSName clientName =
manager.createName(_clientName, GSSName__Finals.NT_USER_NAME);
GSSCredential clientCreds =
manager.createCredential(clientName,
GSSContext__Finals.INDEFINITE_LIFETIME,
krb5Oid,
GSSCredential__Finals.INITIATE_ONLY);
// try {
GSSName serverName = manager.createName(_name, GSSName__Finals.NT_HOSTBASED_SERVICE, krb5Oid);
GSSContext context = manager.createContext(serverName, krb5Oid, clientCreds, GSSContext__Finals.INDEFINITE_LIFETIME);
context.requestMutualAuth(true);
context.requestConf(_encryption);
if (!_encryption || _signing)
{
context.requestInteg(!_encryption || _signing);
}
context.requestCredDeleg(_delegation);
return(context);
// }
// finally {
// // Calling this throws GSSException: Operation unavailable...
// clientCreds.dispose();
// }
}
catch (GSSException e)
{
throw new PrivilegedActionException(e);
}
}
public ExchangeTokenPrivilegedAction(GSSContext context, sbyte [] token)
{
_token = token;
_context = context;
}
public ExchangeTokenPrivilegedAction(GSSContext context, sbyte [] token)
{
_token = token;
_context = context;
}
public override bool start(Session session)
{
base.start(session);
byte[] _username = Util.str2byte(username);
packet.reset();
// byte SSH_MSG_USERAUTH_REQUEST(50)
// string user name(in ISO-10646 UTF-8 encoding)
// string service name(in US-ASCII)
// string "gssapi"(US-ASCII)
// uint32 n, the number of OIDs client supports
// string[n] mechanism OIDS
buf.putByte((byte)SSH_MSG_USERAUTH_REQUEST);
buf.putString(_username);
buf.putString("ssh-connection".getBytes());
buf.putString("gssapi-with-mic".getBytes());
buf.putInt(supported_oid.Length);
for (int i = 0; i < supported_oid.Length; i++)
{
buf.putString(supported_oid.getRow(i));
}
session.write(packet);
string method = null;
int command;
while (true)
{
buf = session.Read(buf);
command = buf.getCommand() & 0xff;
if (command == SSH_MSG_USERAUTH_FAILURE)
{
return(false);
}
if (command == SSH_MSG_USERAUTH_GSSAPI_RESPONSE)
{
buf.getInt(); buf.getByte(); buf.getByte();
byte[] message = buf.getString();
for (int i = 0; i < supported_oid.Length; i++)
{
if (Util.array_equals(message, supported_oid.getRow(i)))
{
method = supported_method[i];
break;
}
}
if (method == null)
{
return(false);
}
break; // success
}
if (command == SSH_MSG_USERAUTH_BANNER)
{
buf.getInt(); buf.getByte(); buf.getByte();
byte[] _message = buf.getString();
byte[] lang = buf.getString();
string message = Util.byte2str(_message);
if (userinfo != null)
{
userinfo.showMessage(message);
}
continue;
}
return(false);
}
GSSContext context = null;
try
{
Type c = Type.GetType(session.getConfig(method));
context = (GSSContext)(c.newInstance());
}
catch //(Exception e)
{
return(false);
}
try
{
context.create(username, session.host);
}
catch (JSchException)
{
return(false);
}
byte[] token = new byte[0];
while (!context.isEstablished())
{
try
{
token = context.init(token, 0, token.Length);
}
catch (JSchException)
{
// TODO
// ERRTOK should be sent?
// byte SSH_MSG_USERAUTH_GSSAPI_ERRTOK
// string error token
return(false);
}
if (token != null)
{
packet.reset();
buf.putByte((byte)SSH_MSG_USERAUTH_GSSAPI_TOKEN);
buf.putString(token);
session.write(packet);
}
if (!context.isEstablished())
{
buf = session.Read(buf);
command = buf.getCommand() & 0xff;
if (command == SSH_MSG_USERAUTH_GSSAPI_ERROR)
{
// uint32 major_status
// uint32 minor_status
// string message
// string language tag
buf = session.Read(buf);
command = buf.getCommand() & 0xff;
//return false;
}
else if (command == SSH_MSG_USERAUTH_GSSAPI_ERRTOK)
{
// string error token
buf = session.Read(buf);
command = buf.getCommand() & 0xff;
//return false;
}
if (command == SSH_MSG_USERAUTH_FAILURE)
{
return(false);
}
buf.getInt(); buf.getByte(); buf.getByte();
token = buf.getString();
}
}
Buffer mbuf = new Buffer();
// string session identifier
// byte SSH_MSG_USERAUTH_REQUEST
// string user name
// string service
// string "gssapi-with-mic"
mbuf.putString(session.getSessionId());
mbuf.putByte((byte)SSH_MSG_USERAUTH_REQUEST);
mbuf.putString(_username);
mbuf.putString("ssh-connection".getBytes());
mbuf.putString("gssapi-with-mic".getBytes());
byte[] mic = context.getMIC(mbuf.buffer, 0, mbuf.getLength());
if (mic == null)
{
return(false);
}
packet.reset();
buf.putByte((byte)SSH_MSG_USERAUTH_GSSAPI_MIC);
buf.putString(mic);
session.write(packet);
context.dispose();
buf = session.Read(buf);
command = buf.getCommand() & 0xff;
if (command == SSH_MSG_USERAUTH_SUCCESS)
{
return(true);
}
else if (command == SSH_MSG_USERAUTH_FAILURE)
{
buf.getInt(); buf.getByte(); buf.getByte();
byte[] foo = buf.getString();
int partial_success = buf.getByte();
//Console.Error.WriteLine(Encoding.UTF8.GetString(foo)+
// " partial_success:"+(partial_success!=0));
if (partial_success != 0)
{
throw new JSchPartialAuthException(Encoding.UTF8.GetString(foo));
}
}
return(false);
}
