Uploaded image for project: 'OpenICF'
  1. OpenICF
  2. OPENICF-1433

SSH connector: Kerberos username prompt for public key and password auth



    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • SSH Connector
    • None
    • 54389


      When trying to use the SSH connector while running IDM interactively (eg starting IDM from in Windows 10 using a powershell using the startup.bat command window instead of running as a service), IDM fails to complete startup, because there is an interactive kerberos prompt. This is even true if the authentication method is public key or password.

      For example:

      Listening for transport dt_socket at address: 5006
      WARNING: An illegal reflective access operation has occurred
      WARNING: Illegal reflective access by org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender (file:/C:/w10dev/openidm-prod/openidm/bin/felix.jar) to method java.net.URLClassLoader.addURL(java.net.URL)
      WARNING: Please consider reporting this to the maintainers of org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender
      WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
      WARNING: All illegal access operations will be denied in a future release
      -> [123] Oct. 16, 2020 5:32:30.278 PM org.forgerock.openidm.health.HealthService org.forgerock.openidm.health.HealthService$4 run
      SEVERE: OpenIDM failure during startup, ACTIVE_NOT_READY: Required services not all started [org.forgerock.openidm.api-servlet, org.forgerock.openidm.authentication, org.forgerock.openidm.config.manage, org.forgerock.openidm.policy, org.forgerock.openidm.repo.init, org.forgerock.openidm.scheduler]
      Kerberos username [myusername]: myusername
      Command not found.
      Kerberos password for myusername:

      To fix this issue, the "PreferredAuthentications" config on the JSch session (org.forgerock.openicf.connectors.ssh.SSHConnection) should be set to either "password" or "publickey" for password auth and public key auth respectively.

      Kerberos authentication already correctly sets "PreferredAuthentications" to "gssapi-with-mic", is just password and public key which aren't setting this value.




            gael Gael Allioux
            japearson Joel Pearson
            Son Nguyen Son Nguyen
            0 Vote for this issue
            3 Start watching this issue