KusogomiいろいろWiki
目次! †
さぁー、Kerberosクライアント作っちゃうか! †
とっととUbuntuでKerberos構築しろや!見ると、すぐにKerberos構築できたよな!
今度はケルベロス認証 - 駆け出しプログラマの奮闘記を参考に、kerberosクライアントをJavaで作っちゃえよ!
kerberosTest.java
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import com.sun.security.auth.callback.TextCallbackHandler;
public class kerberosTest {
public static void main(String[] args) {
System.setProperty("java.security.auth.login.config", "simple.conf");
System.setProperty("java.security.krb5.conf", "java_krb5.conf");
LoginContext lc = null;
try {
lc = new LoginContext("KerberosTest", new TextCallbackHandler());
lc.login();
} catch (Exception e) {
e.printStackTrace();
}
}
}
simple.conf
KerberosTest {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=false debug=true;
};
java_krb5.conf
[libdefaults]
default_realm = HOGEHOGE.COM
default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
dns_lookup_realm = false
dns_lookup_kdc = false
kdc_timeout = 1000
[realms]
HOGEHOGE.COM = {
kdc = 192.168.0.1:88
kdc = 192.168.0.3:88
admin_server = 192.168.0.3
}
kerberosTest.javaをjavacでコンパイルしたら、あとはアチョチョアチョチョー
$ javac kerberosTest.java
$ java -Dsun.security.krb5.debug=true kerberosTest
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
alse ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is fa
lse principal is null tryFirstPass is false useFirstPass is false storePass is f
alse clearPass is false
Kerberos ユーザ名 [masaou]: hoge
hoge の Kerberos パスワード: hogehoge
[Krb5LoginModule] user entered username: hoge
default etypes for default_tkt_enctypes: 23 16 1 3.
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23 16 1 3.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=192.168.0.1 UDP:88, timeout=1000, number of retries =3,
#bytes=142
>>> KDCCommunication: kdc=192.168.0.1 UDP:88, timeout=1000,Attempt =1, #bytes=14
2
SocketTimeOutException with attempt: 1
>>> KDCCommunication: kdc=192.168.0.1 UDP:88, timeout=1000,Attempt =2, #bytes=14
2
SocketTimeOutException with attempt: 2
>>> KDCCommunication: kdc=192.168.0.1 UDP:88, timeout=1000,Attempt =3, #bytes=14
2
SocketTimeOutException with attempt: 3
>>> KrbKdcReq send: kdc=192.168.0.3 UDP:88, timeout=1000, number of retries =3,
#bytes=142
>>> KDCCommunication: kdc=192.168.0.3 UDP:88, timeout=1000,Attempt =1, #bytes=14
2
>>> KrbKdcReq send: #bytes read=421
>>> KrbKdcReq send: #bytes read=421
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
cTime is Sun Oct 12 01:20:40 JST 2008 1223742040000
sTime is Sun Oct 12 01:20:43 JST 2008 1223742043000
suSec is 662578
error code is 25
error Message is Additional pre-authentication required
crealm is HOGEHOGE.COM
cname is hoge
realm is HOGEHOGE.COM
sname is krbtgt/HOGEHOGE.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 16
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 16
>>>Pre-Authentication Data:
PA-DATA type = 13
KRBError received: NEEDED_PREAUTH
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 16 1 3.
Pre-Authentication: Set preferred etype = 16
>>>KrbAsReq salt is HOGEHOGE.COMhoge
Pre-Authenticaton: find key for etype = 16
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=192.168.0.1 UDP:88, timeout=1000, number of retries =3,
#bytes=219
>>> KDCCommunication: kdc=192.168.0.1 UDP:88, timeout=1000,Attempt =1, #bytes=21
9
SocketTimeOutException with attempt: 1
>>> KDCCommunication: kdc=192.168.0.1 UDP:88, timeout=1000,Attempt =2, #bytes=21
9
SocketTimeOutException with attempt: 2
>>> KDCCommunication: kdc=192.168.0.1 UDP:88, timeout=1000,Attempt =3, #bytes=21
9
SocketTimeOutException with attempt: 3
>>> KrbKdcReq send: kdc=192.168.0.3 UDP:88, timeout=1000, number of retries =3,
#bytes=219
>>> KDCCommunication: kdc=192.168.0.3 UDP:88, timeout=1000,Attempt =1, #bytes=21
9
>>> KrbKdcReq send: #bytes read=586
>>> KrbKdcReq send: #bytes read=586
>>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
>>> KrbAsRep cons in KrbAsReq.getReply hoge
default etypes for default_tkt_enctypes: 23 16 1 3.
principal is hoge@HOGEHOGE.COM
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 48 0F 97 CE 40 A2 C7 28 26
C2 93 D7 1B A5 65 E0 H...@..(&.....e.
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 5B CD F1 04 32 EC C4 79 E0
20 F1 6B F7 F2 64 AE [...2..y. .k..d.
0010: 1C 8F A1 5D EA F4 1A A8
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 01 31 B0 DF 19 4C BF CD
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 01 31 B0 DF 19 4C BF CD
Commit Succeeded
debug=trueにしてるから、デバッグ情報いっぱいでたね!
つーか、なによこれ?
Kerberos ユーザ名 [masaou]: hoge
hoge の Kerberos パスワード: hogehoge
パスワードが画面に出ちゃってるじゃない。バカ。
com.sun.security.auth.callback.TextCallbackHandler?っていうクラスをユーザ名とパスワード入力のために今回は使用したわけだが、Java5.0の場合、こいつはパスワードを隠してくれないんだな〜(Java6.0では表示されないはず)
今回は気にしないが、どうしても気になるんだったら、javax.security.auth.callback.CallbackHandler?インターフェースを実装したクラスを自分で作れや!
あとはあれだな。
今回はチケットを入手するとこまでしか作ってない。チケットを入手してからが重要なのだが・・・
そこまで勉強してないから、まだできんのじゃ!
コメントしちゃえよ!
- お前もうちょっと頑張れや! -- 先輩?
- かき氷食いてぇ。 -- 神戸尊?
最新の20件
2008-03-30
2009-01-25
2010-03-15
2016-08-09
2008-03-30
2016-08-09
2009-03-04
2009-01-24
2008-10-13
2008-10-12
2008-03-30
2007-09-22
今日の3件
- counter: 4572
- today: 1
- yesterday: 0
- online: 1
