Opened 6 years ago

Closed 6 years ago

#1036 closed enhancement (fixed)

Add support for public/private key authentication

Reported by: Nicklas Nordborg Owned by:
Priority: major Milestone: Open Grid Scheduler service v1.2
Component: net.sf.basedb.opengrid Keywords:
Cc:

Description

Instead of a username/password, it would be nice to be able to use username/private key to login on a remote server.

Change History (6)

comment:1 by Nicklas Nordborg, 6 years ago

I got this to work when using PuTTY key files, but there is a problem with OpenSSH files. At first I got an exception: 

...
Caused by: net.schmizz.sshj.userauth.UserAuthException: Problem getting public key from PKCS8KeyFile{resource=[PrivateKeyStringResource]}
	at net.schmizz.sshj.userauth.method.KeyedAuthMethod.putPubKey(KeyedAuthMethod.java:46)
	at net.schmizz.sshj.userauth.method.AuthPublickey.buildReq(AuthPublickey.java:62)
	at net.schmizz.sshj.userauth.method.AuthPublickey.buildReq(AuthPublickey.java:81)
	at net.schmizz.sshj.userauth.method.AbstractAuthMethod.request(AbstractAuthMethod.java:68)
	at net.schmizz.sshj.userauth.UserAuthImpl.authenticate(UserAuthImpl.java:72)
	at net.schmizz.sshj.SSHClient.auth(SSHClient.java:225)
	... 38 more
Caused by: org.bouncycastle.openssl.PEMException: unable to convert key pair: no such provider: BC
	at org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter.getKeyPair(Unknown Source)
	at net.schmizz.sshj.userauth.keyprovider.PKCS8KeyFile.readKeyPair(PKCS8KeyFile.java:78)
	at net.schmizz.sshj.userauth.keyprovider.BaseFileKeyProvider.getPublic(BaseFileKeyProvider.java:81)
	at net.schmizz.sshj.userauth.keyprovider.OpenSSHKeyFile.getPublic(OpenSSHKeyFile.java:55)
	at net.schmizz.sshj.userauth.method.KeyedAuthMethod.putPubKey(KeyedAuthMethod.java:44)
	... 43 more
Caused by: java.security.NoSuchProviderException: no such provider: BC
	at sun.security.jca.GetInstance.getService(Unknown Source)
	at sun.security.jca.GetInstance.getInstance(Unknown Source)
	at java.security.KeyFactory.getInstance(Unknown Source)
	at org.bouncycastle.jcajce.util.NamedJcaJceHelper.createKeyFactory(Unknown Source)
	at org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter.getKeyFactory(Unknown Source)

It is a known issue since #831 that it is not a good idea to register BouncyCastle as a security provider since it will cause problems with class loading.

But after registering BouncyCastle the OpenSSH key also works. Maybe we should start shipping BouncyCastle with the BASE core? That would solve the problem with different extensions having to supply their own versions. Of course, it will still be a problem for anyone running more than one BASE installation in the same Tomcat instance (typically in development environments).

comment:2 by Nicklas Nordborg, 6 years ago

(In [4741]) References #1036: Add support for public/private key authentication

Added support for setting a private key in the configuration file. A new child element, <key-file>path-to-private-key</key-file> should be used inside the <cluster> tag.

comment:3 by Nicklas Nordborg, 6 years ago

(In [4742]) References #1036: Add support for public/private key authentication

Connecting with private key authentication should now work. It has been tested with !OpenSSH and PuTTY key files.

comment:4 by Nicklas Nordborg, 6 years ago

(In [4748]) References #1036: Add support for public/private key authentication

Getting private key information from a FileServer when creating a ConnectionInfo instance.

comment:5 by Nicklas Nordborg, 6 years ago

(In [4750]) References #1036: Add support for public/private key authentication

Added section and documented the new <key-file> tag in the example configuration file.

comment:6 by Nicklas Nordborg, 6 years ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.