Opened 4 months ago

Closed 3 months ago

#1036 closed enhancement (fixed)

Add support for public/private key authentication

Reported by: nicklas Owned by:
Priority: major Milestone: Open Grid Scheduler service v1.2
Component: net.sf.basedb.opengrid Keywords:
Cc:

Description

Instead of a username/password, it would be nice to be able to use username/private key to login on a remote server.

Change History (6)

comment:1 Changed 4 months ago by nicklas

I got this to work when using PuTTY key files, but there is a problem with OpenSSH files. At first I got an exception:

...
Caused by: net.schmizz.sshj.userauth.UserAuthException: Problem getting public key from PKCS8KeyFile{resource=[PrivateKeyStringResource]}
	at net.schmizz.sshj.userauth.method.KeyedAuthMethod.putPubKey(KeyedAuthMethod.java:46)
	at net.schmizz.sshj.userauth.method.AuthPublickey.buildReq(AuthPublickey.java:62)
	at net.schmizz.sshj.userauth.method.AuthPublickey.buildReq(AuthPublickey.java:81)
	at net.schmizz.sshj.userauth.method.AbstractAuthMethod.request(AbstractAuthMethod.java:68)
	at net.schmizz.sshj.userauth.UserAuthImpl.authenticate(UserAuthImpl.java:72)
	at net.schmizz.sshj.SSHClient.auth(SSHClient.java:225)
	... 38 more
Caused by: org.bouncycastle.openssl.PEMException: unable to convert key pair: no such provider: BC
	at org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter.getKeyPair(Unknown Source)
	at net.schmizz.sshj.userauth.keyprovider.PKCS8KeyFile.readKeyPair(PKCS8KeyFile.java:78)
	at net.schmizz.sshj.userauth.keyprovider.BaseFileKeyProvider.getPublic(BaseFileKeyProvider.java:81)
	at net.schmizz.sshj.userauth.keyprovider.OpenSSHKeyFile.getPublic(OpenSSHKeyFile.java:55)
	at net.schmizz.sshj.userauth.method.KeyedAuthMethod.putPubKey(KeyedAuthMethod.java:44)
	... 43 more
Caused by: java.security.NoSuchProviderException: no such provider: BC
	at sun.security.jca.GetInstance.getService(Unknown Source)
	at sun.security.jca.GetInstance.getInstance(Unknown Source)
	at java.security.KeyFactory.getInstance(Unknown Source)
	at org.bouncycastle.jcajce.util.NamedJcaJceHelper.createKeyFactory(Unknown Source)
	at org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter.getKeyFactory(Unknown Source)

It is a known issue since #831 that it is not a good idea to register BouncyCastle as a security provider since it will cause problems with class loading.

But after registering BouncyCastle the OpenSSH key also works. Maybe we should start shipping BouncyCastle with the BASE core? That would solve the problem with different extensions having to supply their own versions. Of course, it will still be a problem for anyone running more than one BASE installation in the same Tomcat instance (typically in development environments).

comment:2 Changed 3 months ago by nicklas

(In [4741]) References #1036: Add support for public/private key authentication

Added support for setting a private key in the configuration file. A new child element, <key-file>path-to-private-key</key-file> should be used inside the <cluster> tag.

comment:3 Changed 3 months ago by nicklas

(In [4742]) References #1036: Add support for public/private key authentication

Connecting with private key authentication should now work. It has been tested with !OpenSSH and PuTTY key files.

comment:4 Changed 3 months ago by nicklas

(In [4748]) References #1036: Add support for public/private key authentication

Getting private key information from a FileServer when creating a ConnectionInfo instance.

comment:5 Changed 3 months ago by nicklas

(In [4750]) References #1036: Add support for public/private key authentication

Added section and documented the new <key-file> tag in the example configuration file.

comment:6 Changed 3 months ago by nicklas

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.