Execute a script on remote server from a java application authenticating via kerberos keytabs

Question

This has been most likely answered earlier, but all my searches did not get me a definite answer. What I've got is a Java application that currently uses ssh keys to run a script on a remote machine and save the results. I'm in the process of changing this to a Kerberos authentication using keytabs. I have the keytab set up and tested it using a perl script. If someone could point me to examples that tell me how to use kerberos keytabs in a Java application, that would be very helpful.

Thanks, Kiran

Answer 1

Here's a full implementation of using a keytab in Java.

import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import java.security.Principal;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Set;

public class SecurityUtils {
    public static class LoginConfig extends Configuration {
        private String keyTabLocation;
        private String servicePrincipalName;
        private boolean debug;

        public LoginConfig(String keyTabLocation, String servicePrincipalName, boolean debug) {
            this.keyTabLocation = keyTabLocation;
            this.servicePrincipalName = servicePrincipalName;
            this.debug = debug;
        }

        @Override
        public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
            HashMap<String, String> options = new HashMap<String, String>();
            options.put("useKeyTab", "true");
            options.put("keyTab", this.keyTabLocation);
            options.put("principal", this.servicePrincipalName);
            options.put("storeKey", "true");
            options.put("doNotPrompt", "true");
            if (this.debug) {
                options.put("debug", "true");
            }
            options.put("isInitiator", "false");

            return new AppConfigurationEntry[]{new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
                    AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options),};
        }
    }

    public static Subject loginAs(String keyTabLocation, String servicePrincipal) {
        try {
            LoginConfig loginConfig = new LoginConfig(keyTabLocation, servicePrincipal, true);
            Set<Principal> princ = new HashSet<Principal>(1);
            princ.add(new KerberosPrincipal(servicePrincipal));
            Subject sub = new Subject(false, princ, new HashSet<Object>(), new HashSet<Object>());
            LoginContext lc;
            lc = new LoginContext("", sub, null, loginConfig);
            lc.login();
            return lc.getSubject();
        } catch (LoginException e) {
            e.printStackTrace();
        }
        return null;
    }
}

The loginAs method will return you a Subject which can be used to execute a privileged action:

result = Subject.doAs(subject,
        new PrivilegedExceptionAction<NamingEnumeration<SearchResult>>() {
            public NamingEnumeration<SearchResult> run() throws NamingException {
                return context.search(directoryBase, filterBuilder.toString(), searchCtls);
            }
        });