apache mina sshd验证客户端签名
[英]apache mina sshd authenticate client signatures
问题描述
I'm trying to authenticate a signature that clients generate from their private key and send to the server. 
我正在尝试验证客户端从其私钥生成的签名并发送到服务器。
The only authenticator I could find in the library that sounded appropriate was the PublickeyAuthenticator . 我能在库中找到唯一合适的认证者是PublickeyAuthenticator 。 Please correct me if this is the wrong class to do this. 如果这是错误的类,请纠正我。
I currently have: 我目前有:
this.sshServer.setPublickeyAuthenticator(new PublickeyAuthenticator() {
@Override
public boolean authenticate(String username, PublicKey key, ServerSession session) {
if (username.equals("client")) {
//if signature == valid??
return true;
}
}
});
Does anyone know if mina supports signature verification and if so, how can it be implemented? 有谁知道mina是否支持签名验证,如果支持,如何实施?
My understanding is that I'd first have to assign/add the user public key to the server. 我的理解是,我首先必须将用户公钥分配/添加到服务器。 If the client has provided a id_rsa.pub file, how can I go about adding this file to the server as the public key? 如果客户端提供了id_rsa.pub文件,我该如何将此文件作为公钥添加到服务器?
1 个解决方案
解决方案1
5 已采纳 2016-09-01 03:43:48
Mina SSH has a few implementations of PublickeyAuthenticator . Mina SSH有一些PublickeyAuthenticator实现。
Look at org.apache.sshd.server.config.keys.AuthorizedKeysAuthenticator and org.apache.sshd.server.auth.pubkey.KeySetPublickeyAuthenticator . 查看org.apache.sshd.server.config.keys.AuthorizedKeysAuthenticator和org.apache.sshd.server.auth.pubkey.KeySetPublickeyAuthenticator 。
Implementations of PublickeyAuthenticator only check that the given public key is associated with the user. PublickeyAuthenticator实现仅检查给定的公钥是否与用户相关联。
The actual verification of the signature is handled internally to MINA SSH after the authentication. 验证后,签名的实际验证在内部处理到MINA SSH。
The AuthorizedKeysAuthenticator only supports one user(it doesnt check the username), but you could for example just point it at your id_rsa.pub file and it should work. AuthorizedKeysAuthenticator仅支持一个用户(它不会检查用户名),但您可以将其指向您的id_rsa.pub文件,它应该可以工作。
this.sshServer.setPublickeyAuthenticator(
new AuthorizedKeysAuthenticator(new File("id_rsa.pub"));
You could write your own PublicKeyAuthenticator that checks the keys against a map of users like so: 您可以编写自己的PublicKeyAuthenticator ,根据用户地图检查密钥,如下所示:
public class UserKeySetPublickeyAuthenticator implements PublickeyAuthenticator {
private final Map<String, Collection<? extends PublicKey>> userToKeySet;
public UserKeySetPublickeyAuthenticator(Map<String, Collection<? extends PublicKey>> userToKeySet) {
this.userToKeySet = userToKeySet;
}
@Override
public boolean authenticate(String username, PublicKey key, ServerSession session) {
return KeyUtils.findMatchingKey(key, userToKeySet.getOrDefault(username, Collections.emptyList())) != null;
}
}
You need to write some code to populate the map with your key data. 您需要编写一些代码来使用您的密钥数据填充地图。 AuthorizedKeyEntry has utility methods for doing this from files, inputstreams or strings. AuthorizedKeyEntry具有从文件,输入流或字符串执行此操作的实用程序方法。
An example of reading from user named authorized key files: 从用户命名的授权密钥文件中读取的示例:
Map<String, List<PublicKey>> userKeysMap = new HashMap<>();
List<String> users = Arrays.asList("Jim", "Sally", "Bob");
for(String user : users){
List<PublicKey> usersKeys = new ArrayList<>();
for(AuthorizedKeyEntry ake : AuthorizedKeyEntry.readAuthorizedKeys(new File(user + "_authorized_keys"))){
PublicKey publicKey = ake.resolvePublicKey(PublicKeyEntryResolver.IGNORING);
if(publicKey != null){
usersKeys.add(publicKey);
}
}
userKeysMap.put(user, usersKeys);
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.