Class LdapPublickeyAuthenticator

java.lang.Object

org.apache.sshd.common.util.logging.AbstractLoggingBean

org.apache.sshd.common.util.net.NetworkConnector

org.apache.sshd.ldap.LdapNetworkConnector<org.apache.sshd.server.session.ServerSession>

org.apache.sshd.ldap.LdapAuthenticator

org.apache.sshd.ldap.LdapPublickeyAuthenticator

All Implemented Interfaces:

org.apache.sshd.server.auth.pubkey.PublickeyAuthenticator

public class LdapPublickeyAuthenticator
extends LdapAuthenticator
implements org.apache.sshd.server.auth.pubkey.PublickeyAuthenticator

Uses LDAP to retrieve a user's registered public key and compare it with the provided one. The default search pattern attempts to retrieve the user's SSH public key value which is assumed to be in OpenSSH format. The default assumes that the value resides in the DEFAULT_PUBKEY_ATTR_NAME attribute and can be either a single or a multi-valued one

Field Summary

Fields

Modifier and Type	Field	Description
static final String	DEFAULT_PUBKEY_ATTR_NAME
static final String	DEFAULT_SEARCH_FILTER_PATTERN
private String	keyAttributeName

Fields inherited from class LdapAuthenticator

DEFAULT_AUTHENTICATION_MODE, DEFAULT_USERNAME_ATTR_NAME

Fields inherited from class LdapNetworkConnector

ALL_LDAP_ATTRIBUTES, baseDNPattern, bindDNPattern, bindPasswordPattern, DEFAULT_BINARY_ATTRIBUTES, DEFAULT_LDAP_ACCUMULATE_MULTIVALUES, DEFAULT_LDAP_BIND_DN_PATTERN, DEFAULT_LDAP_BIND_PASSWORD_PATTERN, DEFAULT_LDAP_COUNT_LIMIT, DEFAULT_LDAP_DEREF_ENABLED, DEFAULT_LDAP_FACTORY_PROPNAME, DEFAULT_LDAP_FACTORY_PROPVAL, DEFAULT_LDAP_PORT, DEFAULT_LDAP_PROTOCOL, DEFAULT_LDAP_REFERRAL_MODE, DEFAULT_LDAP_RETURN_OBJVALUE, DEFAULT_LDAP_SEARCH_SCOPE, DEFAULT_LDAP_TIME_LIMIT, ldapEnv, searchControls, searchFilterPattern

Fields inherited from class org.apache.sshd.common.util.net.NetworkConnector

DEFAULT_CONNECT_TIMEOUT, DEFAULT_HOST, DEFAULT_READ_TIMEOUT

Fields inherited from class org.apache.sshd.common.util.logging.AbstractLoggingBean

log

Constructor Summary

Constructors

Constructor	Description
LdapPublickeyAuthenticator()

Method Summary

Modifier and Type	Method	Description
boolean	authenticate(String username, PublicKey key, org.apache.sshd.server.session.ServerSession session)
protected boolean	authenticate(String username, PublicKey expected, org.apache.sshd.server.session.ServerSession session, Map<String,?> attrs)
protected boolean	authenticate(String username, PublicKey expected, org.apache.sshd.server.session.ServerSession session, Map<String,?> attrs, Collection<? extends PublicKey> keys)
String	getKeyAttributeName()
protected PublicKey	parsePublicKeyValue(String username, PublicKey expected, org.apache.sshd.server.session.ServerSession session, Map<String,?> attrs, Object keyData)
protected List<PublicKey>	recoverPublicKeys(String username, PublicKey expected, org.apache.sshd.server.session.ServerSession session, Map<String,?> attrs, Object keyData)
void	setKeyAttributeName(String keyAttributeName)

Methods inherited from class LdapNetworkConnector

accumulateAttributeValue, getAuthenticationMode, getBaseDN, getBinaryAttributes, getBindDNPattern, getBindPasswordPattern, getCountLimit, getLdapFactory, getProtocolVersion, getReferralMode, getRetrievedAttributes, getSearchFilterPattern, getSearchScope, getTimeLimit, initializeDirContext, isAccumulateMultiValues, isDerefLink, isReturningObjFlag, processResultAttributeValue, processSearchResult, queryAttributes, resolveAttributes, resolveBaseDN, resolveSearchFilter, setAccumulateMultiValues, setAuthenticationMode, setBaseDN, setBinaryAttributes, setBindDNPattern, setBindPasswordPattern, setConnectTimeout, setCountLimit, setDerefLink, setLdapFactory, setProtocolVersion, setReadTimeout, setReferralMode, setRetrievedAttributes, setReturningObjFlag, setSearchFilterPattern, setSearchScope, setTimeLimit, setupDirContextEnvironment, toString

Methods inherited from class org.apache.sshd.common.util.net.NetworkConnector

getConnectTimeout, getHost, getPort, getProtocol, getReadTimeout, setHost, setPort, setProtocol, toString

Methods inherited from class org.apache.sshd.common.util.logging.AbstractLoggingBean

debug, debug, debug, debug, debug, error, error, error, error, error, getSimplifiedLogger, info, info, warn, warn, warn, warn, warn, warn, warn, warn

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Details

DEFAULT_SEARCH_FILTER_PATTERN

public static final String DEFAULT_SEARCH_FILTER_PATTERN

See Also:

• Constant Field Values

DEFAULT_PUBKEY_ATTR_NAME

public static final String DEFAULT_PUBKEY_ATTR_NAME

See Also:

• Constant Field Values

keyAttributeName

private String keyAttributeName

Constructor Details

LdapPublickeyAuthenticator

public LdapPublickeyAuthenticator()

Method Details

getKeyAttributeName

public String getKeyAttributeName()

Returns:

The LDAP attribute name containing the public key - assumed by default to be in OpenSSH format

setKeyAttributeName

public void setKeyAttributeName(String keyAttributeName)

authenticate

public boolean authenticate(String username,
 PublicKey key,
 org.apache.sshd.server.session.ServerSession session)

Specified by:

authenticate in interface org.apache.sshd.server.auth.pubkey.PublickeyAuthenticator

authenticate

protected boolean authenticate(String username,
 PublicKey expected,
 org.apache.sshd.server.session.ServerSession session,
 Map<String,?> attrs)
                        throws GeneralSecurityException,
IOException

Parameters:

username - The SSH username attempting to authenticate

expected - The provided PublicKey

session - The ServerSession

attrs - The extracted LDAP attributes Map

Returns:

true whether to accept the presented public key

Throws:

GeneralSecurityException - If failed to recover the public key(s)

IOException - If failed to parse the public key(s) data

See Also:

• recoverPublicKeys(String, PublicKey, ServerSession, Map, Object)
• authenticate(String, PublicKey, ServerSession, Map, Collection)

authenticate

protected boolean authenticate(String username,
 PublicKey expected,
 org.apache.sshd.server.session.ServerSession session,
 Map<String,?> attrs,
 Collection<? extends PublicKey> keys)

Parameters:

username - The SSH username attempting to authenticate

expected - The provided PublicKey

session - The ServerSession

attrs - The extracted LDAP attributes Map

keys - The Collection of recovered PublicKeys - may be null/empty

Returns:

true whether to accept the presented public key

recoverPublicKeys

protected List<PublicKey> recoverPublicKeys(String username,
 PublicKey expected,
 org.apache.sshd.server.session.ServerSession session,
 Map<String,?> attrs,
 Object keyData)
                                     throws GeneralSecurityException,
IOException

Parameters:

username - The SSH username attempting to authenticate

expected - The provided PublicKey

session - The ServerSession

attrs - The extracted LDAP attributes Map

keyData - The value of the getKeyAttributeName() attribute - may be null, a single object or a collection of such (if multi-valued attribute)

Returns:

A List of the recovered PublicKeys - may be null/empty

Throws:

GeneralSecurityException - If failed to recover the public key(s)

IOException - If failed to parse the public key(s) data

See Also:

• parsePublicKeyValue(String, PublicKey, ServerSession, Map, Object)

parsePublicKeyValue

protected PublicKey parsePublicKeyValue(String username,
 PublicKey expected,
 org.apache.sshd.server.session.ServerSession session,
 Map<String,?> attrs,
 Object keyData)
                                 throws GeneralSecurityException,
IOException

Parameters:

username - The SSH username attempting to authenticate

expected - The provided PublicKey

session - The ServerSession

attrs - The extracted LDAP attributes Map

keyData - One of the values (if multi-valued attribute) - may be null

Returns:

The extracted PublicKey or null if none available

Throws:

GeneralSecurityException - If failed to recover the public key

IOException - If failed to parse the public key data