Execute a command on kerberos using java and the ticket

Question

I can execute a command using my kerberos ticket on the kerberos server by running ssh hostname ls

it uses the kerberos ticket I got earlier by running kinit on the client.

I want to do the same thing through a java client. I have a client that can SSH to that machine using the privatekey or the username and password. I want the java client to use the kerberos ticket.

How can I do that?

Answer 1

Well from what i understand your problem statement is:

1. Use kinit to generate a kerberos ticket
2. Use Java Client to send the ticket generated for authentication

I am also assuming you are writing the code for the java client:

Well in that case you to use a jaas.conf

Sample Jaas conf:-

com.sun.security.jgss.krb5.initiate {
     com.sun.security.auth.module.Krb5LoginModule required
     isInitiator=true
     useTicketCache=true
     doNotPrompt=true;
};

Set jaas conf via system property:-

-Djava.security.auth.login.config=jaasconffilepath

This will allow you to pick up whatever is defined in default credential cache(in your case that is populated with kinit)

Once you do this:-

LoginContext lc = new LoginContext();
lc.login()

After this use Subject.doAs to elevate privileges and get your job done:-

Subject.doAs(lc.getSubject(), new YourAction())

Here YourAction is a class you define (which must implement PrivilegedExceptionAction) and in its run method do whatever you want to.

P.S In case you are not "coding" your java client you need to check for jaas documentation of the module in question and see if it is supported or not. Then all you need to do is use your jaas.conf file and you are good to go.

P.S You can avoid kinit all together by putting useTicketCache=false and doNotPrompt=false. Then you can specify password and username in your client and it will get you ticket.

P.S Please ensure you define the system property for krb5.conf for any of this to work: -D java.security.krb5.conf=krb5conffilepath