I have a text file on a unix machine containing the SSH user name and password that someone might use to connect to it.
How do I verify that the user name and password are valid using Java?
Do I try to SSH connect to the same machine by using Runtime.exec()?
I can grep for the user /etc/passwd. But, the password is shadowed.
I'd appreciate any suggestions.
Maybe the question could be broadened to "Validating UNIX Credentials from Java" as the mechanism explained is not really ssh dependant.
Here is my shot as a better Expect-like alternative (e.g. with ProcessBuilder) without using the overhead of a network stack:
su -u username -c echo
Just check the exit status to know the answer.
(Bonus points: su is present on all UNIX operating systems, and it's even probably on the PATH and is valid as well for other external authentication system as LDAP).
If you have root access, then of course you could read /etc/shadow. I would say this is the "correct" way of doing it.
Other than that, your friggly way of calling ssh should be OK I think, but I'd use ssh to run a command that, say, created some random temporary file-- then, if the file was created (or the command carried out), you assume the user name/password was correct. Sounds icky, but you can probably get it to work in an emergency.
Oh, of course, the frig has the side effect that you actually logged in as that user. That may or not be desirable...!
Remember that there is more to UNIX authentication than /etc/passwd and /etc/shadow. They could for instance be authenticating against Kerberos, LDAP, NIS or any other number of sources. For this reason, I would highly recommend looking into a PAM wrapper for Java. A quick google turned up http://jpam.sourceforge.net/ but I have no experience with it.
Of course sshd may be configured not to use PAM at all or to only allow certain users, etc. If you want to follow sshd's rules exactly then that changes things, but it sounds like PAM auth is more what you want.
Related
This is a follow up to:
Using JSch to SFTP when one must also switch user
This issue has been on the back burner since I asked the original question while our server management team reviews their policies, but I am now picking it up again!
What I want to do is to use JSch to connect to a remote server and then use sftp or scp to access some files - as per the code example in the original question. The issue is that these files are owned by another user and so I need to su to that user and then provide a password before issuing the sftp or scp command.
This cannot be done in JSch and this is right because it is a security risk to be able to send the password through the exec channel. So these are options I have going forward as I see them.
Override JSch functionality. Martin has very helpfully provided some guidance in an answer to the original question as to how this could be done by and how the password may be passed in "through the back door". But I am not confident in my own ability to override the JSch code and once again, even if successful, I would be circumventing a security feature that is there for legitimate reasons, so I am reluctant to attempt this.
On the server, grant my user password-less access to the other user. This is a no as my server management team will not agree to this.
Have a server-side .sh script that can be run by my user to gain access to the files. Again, this is a no as my server management team will not agree to it!
Automate a putty session i.e. phsically open putty and pass commands to the putty session line by line from the Java client.
Give up! Should I accept that I am trying to do something here that should not be automated and simply have a manual test instead?
I would be extremely grateful for any thoughts/guidance.
I am trying to do something here that should not be automated.
That's correct in principle.
The only correct automatic solution is to directly login with the user that has access to the files. Everything else is just a hack or working around your security policy. Ideally you should authenticate with a dedicated private key to allow monitoring the access from your application and to be able to control the access (e.g. temporary turning it off, without affecting other uses of the same account).
Though I can imagine that your system administrators won't allow you the direct login, because they cannot foresee what (if any) security issues it brings.
I just wanted to share that I have got a solution working for this question by adapting the sample JSch example, JumpHosts.
http://www.jcraft.com/jsch/examples/JumpHosts.java
Overriding the inherited methods in the static class MyUserInfo allowed me to automatically accept prompt boxes, input boxes, etc without physically having to use the keyboard, so I have a fully automated test as desired.
It's great that the jcraft team provide such useful worked examples. Thanks for everyone who took the time to read and consider my question.
Edit: As per Martin's comment, I should point out that this only works if you have a special rule in SSH configuration that allows direct user2 login from localhost (while not allowing direct remote login). That's not sudo. So this cannot work in general.
My company has a Java Web Application with the database password stored in a properties file and we need to secure the password. I've googled and found the Jasypt solution, but in my mind that doesn't really solve the problem because that requires another password to feed to the application and I don't know how to secure that password.
The main suggestion for Jasypt is to feed the password in as an environment variable, which means that in the best case scenario I would be starting the application like:
./myApp -D password=myPasswordDontHackPlz
which isn't secure because you can see the password when you do
ps -ef | grep myApp
We also can't feed the password in when it needs it (via a the web or something) because it essentially decides when it needs the password, and it needs it pretty often.
Is there any solution to this or am I asking for some magical solution that doesn't exist? I don't like Jasypt because it seems to me to essentially just be obfuscation, and I'm not after obfuscation i'm looking for true security here.
Why don't you put the password in a properties file which is only readable by the user that runs the web application? The web application will need to know the root password at some stage, so obviously you want it to be able to read/use it. What you want is that noone else should be able to read it, and protecting the file will do it.
This is all assuming that you need to externalize your password. You could hardcode it into the application if you wanted to make it harder to get at, but someone with access to the JAR can always decompile your classes.
I am just wondering - storing a root database password is a bad idea in general. But then again, when someone actually manages to get access to that file on the server, how safe is your database anyway?
Would the password still show up if you created a shell script and run it instead?
#!/bin/bash
./myApp -D password=myPasswordDontHackPlz
I write a web application I have to do signin in that using the windows username..
I tried to get username using system.get property() but its giving the username of server windows name only.but I want to the username of client system..can any one help me?
If I understood you correctly you want to sign in to the web application using the Windows credentials. If so - the problem is that the server machine knows nothing about the client. It can provide you the user info only after successful login (see Get windows username using JAVA or JSP).
You could point your system to some user store (e.g. LDAP) that will be used by both Windows system and your app. In this situation you will be able to sign in to the app using Windows credentials.
The Browser is an application to generate the view based on an HTML code. It wont give access to the client machine.
You can use request.getRemoteUser() to get the user name, that too is possible only if its allowed in the client machine.
If your client is running on a windows machine you can get the user name using this
var wshshell=new ActiveXObject("wscript.shell");
var username=wshshell.ExpandEnvironmentStrings("%username%");
This is a solution for getting the user name, but i will never recommend this, it surely is a bad practice.
Is the entire Java application running on the server? How would your application even know about a specific client machine? And how would it deal with concurrently logged in users? And how would it deal with a primitive client machine which does not have a notion of a user name?
You can instead run a Java applet which is invoked on the client's machine. You could the send this information to the server to process. However, your users would most likely not like that and not grant the required privileges.
Alternatively, you could try to use JavaScript to read the user name, in case that you are communicating via a webpage. I want to stress the word try in this context since there is not universally functional approach and most users will most likely not allow you to read this property either.
In a nutshell: Users do not normally want to share this information with you and therefore you cannot access it. If you could, you would have found a security hole which would most likely get fixed. Rather, ask your application's users to enter a name to use for whatever reason you would require it. Or, if this is an option, organize for example your Windows credentials in a service that can be accessed by a standardized API.
I need to connect to Unix Server using Java via SSH and SFTP protocol and execute specific commands and do File Transfers also. But there is RSA token authentication is enabled on Unix. So I need to get the current RSA token password at run time also along with User's Password.
So how to get this done
via Java? Is there any Java API for this?
FYI, Unix Login steps using putty :
connect using Server IP.
List item
give User Name.
give Password
give the 6 digit SecurID generated Number.
This sounds like keyboard-interactive authentication. In this authentication mechanism the server asks user a question, to which the user must respond. Any number of questions is possible and their order is defined by the server.
Keyboard-interactive authentication is used by many servers, but it's usually reduced to asking for a password, so most software which claims support for this authentication method will just put a password as the answer and that's all.
I don't know if free Java libraries support keyboard-interactive authentication with multiple questions. Our SecureBlackbox classes have an event which passes questions to the application, and the application can either provide an answer itself or ask the human operator to provide the answer.
How I can check user credentials for local computer?
For example, I have this strings:
Username: user
Password: pwd.
Scenario: Trying to login into windows or linux. if user user/pwd exist, method should return "true".
I can't use LDAP or databases, but I need use only local credentials...
This is possible?
and... if it's possible, should provide for the application with the appropriate rights
You might want to use JAAS Login utility with JAAS Authentication and JAAS Authorization.
Seems to be doing what you want (if I understood your question well).
The "right" way to do this is try to login using these credentials. You cannot get the credentials from OS because they are event not stored there in clear text.
You have a lot of ways to login to machine. On linux you can use SSH. Use one of available Java SSH libraries (e.g. Jsh). Send your credentials and see if you an login. The same is for windows but there you can use WMI. The following WMI libraries are recommended: JaWin, Jintegra, Jinterop.
Probably Jinterop is the best choice because it is free and is pure java implementation, so it is cross-platform by definition: you can run on linux and login to remote windows machine. Jintegra is the same but not free. JaWin is a JNI wrapper, so the application has to run on windows.