Package org.apache.sshd.ldap

Class LdapPublickeyAuthenticator

java.lang.Object

org.apache.sshd.common.util.logging.AbstractLoggingBean

org.apache.sshd.common.util.net.NetworkConnector

org.apache.sshd.ldap.LdapNetworkConnector<ServerSession>

org.apache.sshd.ldap.LdapAuthenticator

org.apache.sshd.ldap.LdapPublickeyAuthenticator

All Implemented Interfaces:

PublickeyAuthenticator

public class LdapPublickeyAuthenticator
extends LdapAuthenticator
implements PublickeyAuthenticator

Uses LDAP to retrieve a user's registered public key and compare it with the provided one. The default search pattern attempts to retrieve the user's SSH public key value which is assumed to be in OpenSSH format. The default assumes that the value resides in the DEFAULT_PUBKEY_ATTR_NAME attribute and can be either a single or a multi-valued one

Field Summary

Fields

Modifier and Type	Field	Description
static java.lang.String	DEFAULT_PUBKEY_ATTR_NAME
static java.lang.String	DEFAULT_SEARCH_FILTER_PATTERN
private java.lang.String	keyAttributeName

Fields inherited from class org.apache.sshd.ldap.LdapAuthenticator

DEFAULT_AUTHENTICATION_MODE, DEFAULT_USERNAME_ATTR_NAME

Fields inherited from class org.apache.sshd.ldap.LdapNetworkConnector

ALL_LDAP_ATTRIBUTES, baseDNPattern, bindDNPattern, bindPasswordPattern, DEFAULT_BINARY_ATTRIBUTES, DEFAULT_LDAP_ACCUMULATE_MULTIVALUES, DEFAULT_LDAP_BIND_DN_PATTERN, DEFAULT_LDAP_BIND_PASSWORD_PATTERN, DEFAULT_LDAP_COUNT_LIMIT, DEFAULT_LDAP_DEREF_ENABLED, DEFAULT_LDAP_FACTORY_PROPNAME, DEFAULT_LDAP_FACTORY_PROPVAL, DEFAULT_LDAP_PORT, DEFAULT_LDAP_PROTOCOL, DEFAULT_LDAP_REFERRAL_MODE, DEFAULT_LDAP_RETURN_OBJVALUE, DEFAULT_LDAP_SEARCH_SCOPE, DEFAULT_LDAP_TIME_LIMIT, ldapEnv, searchControls, searchFilterPattern

Fields inherited from class org.apache.sshd.common.util.net.NetworkConnector

DEFAULT_CONNECT_TIMEOUT, DEFAULT_HOST, DEFAULT_READ_TIMEOUT

Fields inherited from class org.apache.sshd.common.util.logging.AbstractLoggingBean

log

Constructor Summary

Constructors

Constructor	Description
LdapPublickeyAuthenticator()

Method Summary

Modifier and Type	Method	Description
boolean	authenticate(java.lang.String username, java.security.PublicKey key, ServerSession session)	Checks whether the given PublicKey is allowed to be used for authenticating user "username" in a session.
protected boolean	authenticate(java.lang.String username, java.security.PublicKey expected, ServerSession session, java.util.Map<java.lang.String,?> attrs)
protected boolean	authenticate(java.lang.String username, java.security.PublicKey expected, ServerSession session, java.util.Map<java.lang.String,?> attrs, java.util.Collection<? extends java.security.PublicKey> keys)
java.lang.String	getKeyAttributeName()
protected java.security.PublicKey	parsePublicKeyValue(java.lang.String username, java.security.PublicKey expected, ServerSession session, java.util.Map<java.lang.String,?> attrs, java.lang.Object keyData)
protected java.util.List<java.security.PublicKey>	recoverPublicKeys(java.lang.String username, java.security.PublicKey expected, ServerSession session, java.util.Map<java.lang.String,?> attrs, java.lang.Object keyData)
void	setKeyAttributeName(java.lang.String keyAttributeName)

Methods inherited from class org.apache.sshd.ldap.LdapNetworkConnector

accumulateAttributeValue, getAuthenticationMode, getBaseDN, getBinaryAttributes, getBindDNPattern, getBindPasswordPattern, getCountLimit, getLdapFactory, getProtocolVersion, getReferralMode, getRetrievedAttributes, getSearchFilterPattern, getSearchScope, getTimeLimit, initializeDirContext, isAccumulateMultiValues, isDerefLink, isReturningObjFlag, processResultAttributeValue, processSearchResult, queryAttributes, resolveAttributes, resolveBaseDN, resolveSearchFilter, setAccumulateMultiValues, setAuthenticationMode, setBaseDN, setBinaryAttributes, setBindDNPattern, setBindPasswordPattern, setConnectTimeout, setCountLimit, setDerefLink, setLdapFactory, setProtocolVersion, setReadTimeout, setReferralMode, setRetrievedAttributes, setReturningObjFlag, setSearchFilterPattern, setSearchScope, setTimeLimit, setupDirContextEnvironment, toString

Methods inherited from class org.apache.sshd.common.util.net.NetworkConnector

getConnectTimeout, getHost, getPort, getProtocol, getReadTimeout, setHost, setPort, setProtocol, toString

Methods inherited from class org.apache.sshd.common.util.logging.AbstractLoggingBean

debug, debug, debug, debug, debug, error, error, error, error, error, getSimplifiedLogger, info, info, warn, warn, warn, warn, warn, warn, warn, warn

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

DEFAULT_SEARCH_FILTER_PATTERN

public static final java.lang.String DEFAULT_SEARCH_FILTER_PATTERN

See Also:

Constant Field Values

DEFAULT_PUBKEY_ATTR_NAME

public static final java.lang.String DEFAULT_PUBKEY_ATTR_NAME

See Also:

Constant Field Values

keyAttributeName

private java.lang.String keyAttributeName

Constructor Detail

LdapPublickeyAuthenticator

public LdapPublickeyAuthenticator()

Method Detail

getKeyAttributeName

public java.lang.String getKeyAttributeName()

Returns:

The LDAP attribute name containing the public key - assumed by default to be in OpenSSH format

setKeyAttributeName

public void setKeyAttributeName(java.lang.String keyAttributeName)

authenticate

public boolean authenticate(java.lang.String username,
                            java.security.PublicKey key,
                            ServerSession session)

Description copied from interface: PublickeyAuthenticator

Checks whether the given PublicKey is allowed to be used for authenticating user "username" in a session.

Note that the key may be a OpenSshCertificate. A typical implementation for a certificate would check that the certificate's CA key is known to be trusted as a certificate authority, and that the given user name is listed in the certificate's principals.

Specified by:

authenticate in interface PublickeyAuthenticator

Parameters:

username - the username

key - the key

session - the server session

Returns:

true if the key may be used; false otherwise

authenticate

protected boolean authenticate(java.lang.String username,
                               java.security.PublicKey expected,
                               ServerSession session,
                               java.util.Map<java.lang.String,?> attrs)
                        throws java.security.GeneralSecurityException,
                               java.io.IOException

Parameters:

username - The SSH username attempting to authenticate

expected - The provided PublicKey

session - The ServerSession

attrs - The extracted LDAP attributes Map

Returns:

true whether to accept the presented public key

Throws:

java.security.GeneralSecurityException - If failed to recover the public key(s)

java.io.IOException - If failed to parse the public key(s) data

See Also:

recoverPublicKeys(String, PublicKey, ServerSession, Map, Object), authenticate(String, PublicKey, ServerSession, Map, Collection)

authenticate

protected boolean authenticate(java.lang.String username,
                               java.security.PublicKey expected,
                               ServerSession session,
                               java.util.Map<java.lang.String,?> attrs,
                               java.util.Collection<? extends java.security.PublicKey> keys)

Parameters:

username - The SSH username attempting to authenticate

expected - The provided PublicKey

session - The ServerSession

attrs - The extracted LDAP attributes Map

keys - The Collection of recovered PublicKeys - may be null/empty

Returns:

true whether to accept the presented public key

recoverPublicKeys

protected java.util.List<java.security.PublicKey> recoverPublicKeys(java.lang.String username,
                                                                    java.security.PublicKey expected,
                                                                    ServerSession session,
                                                                    java.util.Map<java.lang.String,?> attrs,
                                                                    java.lang.Object keyData)
                                                             throws java.security.GeneralSecurityException,
                                                                    java.io.IOException

Parameters:

username - The SSH username attempting to authenticate

expected - The provided PublicKey

session - The ServerSession

attrs - The extracted LDAP attributes Map

keyData - The value of the getKeyAttributeName() attribute - may be null, a single object or a collection of such (if multi-valued attribute)

Returns:

A List of the recovered PublicKeys - may be null/empty

Throws:

java.security.GeneralSecurityException - If failed to recover the public key(s)

java.io.IOException - If failed to parse the public key(s) data

See Also:

parsePublicKeyValue(String, PublicKey, ServerSession, Map, Object)

parsePublicKeyValue

protected java.security.PublicKey parsePublicKeyValue(java.lang.String username,
                                                      java.security.PublicKey expected,
                                                      ServerSession session,
                                                      java.util.Map<java.lang.String,?> attrs,
                                                      java.lang.Object keyData)
                                               throws java.security.GeneralSecurityException,
                                                      java.io.IOException

Parameters:

username - The SSH username attempting to authenticate

expected - The provided PublicKey

session - The ServerSession

attrs - The extracted LDAP attributes Map

keyData - One of the values (if multi-valued attribute) - may be null

Returns:

The extracted PublicKey or null if none available

Throws:

java.security.GeneralSecurityException - If failed to recover the public key

java.io.IOException - If failed to parse the public key data