Skip to content

Set list of offered SSH authentication methods. #1159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jan 21, 2017
Merged

Set list of offered SSH authentication methods. #1159

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 18 additions & 3 deletions src/main/distrib/data/defaults.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,10 +138,25 @@ git.sshKeysManager = com.gitblit.transport.ssh.FileKeyManager
# SINCE 1.5.0
git.sshKeysFolder= ${baseFolder}/ssh

# Use Kerberos5 (GSS) authentication

# Authentication methods offered by the SSH server.
# Space separated list of authentication method names that the
# server shall offer. The default is "publickey password".
#
# SINCE 1.7.0
git.sshWithKrb5 = false
# Valid authentication method names are:
# publickey - authenticate with SSH public key
# password - authenticate with username, password
# keyboard-interactive - currently synonym to 'password'
# gssapi-with-mic - GSS API Kerberos 5 authentication
#
# This setting obsoletes the "git.sshWithKrb5" setting. To enable
# Kerberos5 (GSS) authentication, add 'gssapi-with-mic' to the list.
#
# SINCE 1.9.0
# RESTART REQUIRED
# SPACE-DELIMITED
git.sshAuthenticationMethods = publickey password


# The path to a Kerberos 5 keytab.
#
Expand Down
40 changes: 34 additions & 6 deletions src/main/java/com/gitblit/transport/ssh/SshDaemon.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.text.MessageFormat;
import java.util.List;
import java.util.concurrent.atomic.AtomicBoolean;

import org.apache.sshd.common.io.IoServiceFactoryFactory;
Expand Down Expand Up @@ -55,6 +56,13 @@ public class SshDaemon {

private final Logger log = LoggerFactory.getLogger(SshDaemon.class);

private static final String AUTH_PUBLICKEY = "publickey";
private static final String AUTH_PASSWORD = "password";
private static final String AUTH_KBD_INTERACTIVE = "keyboard-interactive";
private static final String AUTH_GSSAPI = "gssapi-with-mic";



public static enum SshSessionBackend {
MINA, NIO2
}
Expand Down Expand Up @@ -97,9 +105,6 @@ public SshDaemon(IGitblit gitblit, WorkQueue workQueue) {
FileKeyPairProvider hostKeyPairProvider = new FileKeyPairProvider();
hostKeyPairProvider.setFiles(new String [] { rsaKeyStore.getPath(), dsaKeyStore.getPath(), dsaKeyStore.getPath() });

// Client public key authenticator
SshKeyAuthenticator keyAuthenticator =
new SshKeyAuthenticator(gitblit.getPublicKeyManager(), gitblit);

// Configure the preferred SSHD backend
String sshBackendStr = settings.getString(Keys.git.sshBackend,
Expand All @@ -125,11 +130,34 @@ public SshDaemon(IGitblit gitblit, WorkQueue workQueue) {
sshd.setPort(addr.getPort());
sshd.setHost(addr.getHostName());
sshd.setKeyPairProvider(hostKeyPairProvider);
sshd.setPublickeyAuthenticator(new CachingPublicKeyAuthenticator(keyAuthenticator));
sshd.setPasswordAuthenticator(new UsernamePasswordAuthenticator(gitblit));
if (settings.getBoolean(Keys.git.sshWithKrb5, false)) {

List<String> authMethods = settings.getStrings(Keys.git.sshAuthenticationMethods);
if (authMethods.isEmpty()) {
authMethods.add(AUTH_PUBLICKEY);
authMethods.add(AUTH_PASSWORD);
}
// Keep backward compatibility with old setting files that use the git.sshWithKrb5 setting.
if (settings.getBoolean("git.sshWithKrb5", false) && !authMethods.contains(AUTH_GSSAPI)) {
authMethods.add(AUTH_GSSAPI);
log.warn("git.sshWithKrb5 is obsolete!");
log.warn("Please add {} to {} in gitblit.properties!", AUTH_GSSAPI, Keys.git.sshAuthenticationMethods);
settings.overrideSetting(Keys.git.sshAuthenticationMethods,
settings.getString(Keys.git.sshAuthenticationMethods, AUTH_PUBLICKEY + " " + AUTH_PASSWORD) + " " + AUTH_GSSAPI);
}
if (authMethods.contains(AUTH_PUBLICKEY)) {
SshKeyAuthenticator keyAuthenticator = new SshKeyAuthenticator(gitblit.getPublicKeyManager(), gitblit);
sshd.setPublickeyAuthenticator(new CachingPublicKeyAuthenticator(keyAuthenticator));
log.info("SSH: adding public key authentication method.");
}
if (authMethods.contains(AUTH_PASSWORD) || authMethods.contains(AUTH_KBD_INTERACTIVE)) {
sshd.setPasswordAuthenticator(new UsernamePasswordAuthenticator(gitblit));
log.info("SSH: adding password authentication method.");
}
if (authMethods.contains(AUTH_GSSAPI)) {
sshd.setGSSAuthenticator(new SshKrbAuthenticator(settings, gitblit));
log.info("SSH: adding GSSAPI authentication method.");
}

sshd.setSessionFactory(new SshServerSessionFactory());
sshd.setFileSystemFactory(new DisabledFilesystemFactory());
sshd.setTcpipForwardingFilter(new NonForwardingFilter());
Expand Down