とっととUbuntuでKerberos構築しろや!見ると、すぐにKerberos構築できたよな!
今度はケルベロス認証 - 駆け出しプログラマの奮闘記を参考に、kerberosクライアントをJavaで作っちゃえよ!
kerberosTest.java
import javax.security.auth.Subject; import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; import com.sun.security.auth.callback.TextCallbackHandler; public class kerberosTest { public static void main(String[] args) { System.setProperty("java.security.auth.login.config", "simple.conf"); System.setProperty("java.security.krb5.conf", "java_krb5.conf"); LoginContext lc = null; try { lc = new LoginContext("KerberosTest", new TextCallbackHandler()); lc.login(); } catch (Exception e) { e.printStackTrace(); } } }
simple.conf
KerberosTest { com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=false debug=true; };
java_krb5.conf
[libdefaults] default_realm = HOGEHOGE.COM default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 dns_lookup_realm = false dns_lookup_kdc = false kdc_timeout = 1000 [realms] HOGEHOGE.COM = { kdc = 192.168.0.1:88 kdc = 192.168.0.3:88 admin_server = 192.168.0.3 }
kerberosTest.javaをjavacでコンパイルしたら、あとはアチョチョアチョチョー
$ javac kerberosTest.java $ java -Dsun.security.krb5.debug=true kerberosTest Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f alse ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is fa lse principal is null tryFirstPass is false useFirstPass is false storePass is f alse clearPass is false Kerberos ユーザ名 [masaou]: hoge hoge の Kerberos パスワード: hogehoge [Krb5LoginModule] user entered username: hoge default etypes for default_tkt_enctypes: 23 16 1 3. Acquire TGT using AS Exchange default etypes for default_tkt_enctypes: 23 16 1 3. >>> KrbAsReq calling createMessage >>> KrbAsReq in createMessage >>> KrbKdcReq send: kdc=192.168.0.1 UDP:88, timeout=1000, number of retries =3, #bytes=142 >>> KDCCommunication: kdc=192.168.0.1 UDP:88, timeout=1000,Attempt =1, #bytes=14 2 SocketTimeOutException with attempt: 1 >>> KDCCommunication: kdc=192.168.0.1 UDP:88, timeout=1000,Attempt =2, #bytes=14 2 SocketTimeOutException with attempt: 2 >>> KDCCommunication: kdc=192.168.0.1 UDP:88, timeout=1000,Attempt =3, #bytes=14 2 SocketTimeOutException with attempt: 3 >>> KrbKdcReq send: kdc=192.168.0.3 UDP:88, timeout=1000, number of retries =3, #bytes=142 >>> KDCCommunication: kdc=192.168.0.3 UDP:88, timeout=1000,Attempt =1, #bytes=14 2 >>> KrbKdcReq send: #bytes read=421 >>> KrbKdcReq send: #bytes read=421 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: cTime is Sun Oct 12 01:20:40 JST 2008 1223742040000 sTime is Sun Oct 12 01:20:43 JST 2008 1223742043000 suSec is 662578 error code is 25 error Message is Additional pre-authentication required crealm is HOGEHOGE.COM cname is hoge realm is HOGEHOGE.COM sname is krbtgt/HOGEHOGE.COM eData provided. msgType is 30 >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 16 >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 16 >>>Pre-Authentication Data: PA-DATA type = 13 KRBError received: NEEDED_PREAUTH AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ default etypes for default_tkt_enctypes: 23 16 1 3. Pre-Authentication: Set preferred etype = 16 >>>KrbAsReq salt is HOGEHOGE.COMhoge Pre-Authenticaton: find key for etype = 16 AS-REQ: Add PA_ENC_TIMESTAMP now >>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType >>> KrbAsReq calling createMessage >>> KrbAsReq in createMessage >>> KrbKdcReq send: kdc=192.168.0.1 UDP:88, timeout=1000, number of retries =3, #bytes=219 >>> KDCCommunication: kdc=192.168.0.1 UDP:88, timeout=1000,Attempt =1, #bytes=21 9 SocketTimeOutException with attempt: 1 >>> KDCCommunication: kdc=192.168.0.1 UDP:88, timeout=1000,Attempt =2, #bytes=21 9 SocketTimeOutException with attempt: 2 >>> KDCCommunication: kdc=192.168.0.1 UDP:88, timeout=1000,Attempt =3, #bytes=21 9 SocketTimeOutException with attempt: 3 >>> KrbKdcReq send: kdc=192.168.0.3 UDP:88, timeout=1000, number of retries =3, #bytes=219 >>> KDCCommunication: kdc=192.168.0.3 UDP:88, timeout=1000,Attempt =1, #bytes=21 9 >>> KrbKdcReq send: #bytes read=586 >>> KrbKdcReq send: #bytes read=586 >>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType >>> KrbAsRep cons in KrbAsReq.getReply hoge default etypes for default_tkt_enctypes: 23 16 1 3. principal is hoge@HOGEHOGE.COM EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 48 0F 97 CE 40 A2 C7 28 26 C2 93 D7 1B A5 65 E0 H...@..(&.....e. EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 5B CD F1 04 32 EC C4 79 E0 20 F1 6B F7 F2 64 AE [...2..y. .k..d. 0010: 1C 8F A1 5D EA F4 1A A8 EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 01 31 B0 DF 19 4C BF CD EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 01 31 B0 DF 19 4C BF CD Commit Succeeded
debug=trueにしてるから、デバッグ情報いっぱいでたね!
つーか、なによこれ?
Kerberos ユーザ名 [masaou]: hoge hoge の Kerberos パスワード: hogehoge
パスワードが画面に出ちゃってるじゃない。バカ。
com.sun.security.auth.callback.TextCallbackHandler?っていうクラスをユーザ名とパスワード入力のために今回は使用したわけだが、Java5.0の場合、こいつはパスワードを隠してくれないんだな〜(Java6.0では表示されないはず)
今回は気にしないが、どうしても気になるんだったら、javax.security.auth.callback.CallbackHandler?インターフェースを実装したクラスを自分で作れや!
あとはあれだな。
今回はチケットを入手するとこまでしか作ってない。チケットを入手してからが重要なのだが・・・
そこまで勉強してないから、まだできんのじゃ!
コメントしちゃえよ!