Community
Participate
Working Groups
Two authentication mechanisms are currently used in Virgo: one for JMX and the admin console and another for the shell. These are configured and used differently, which is likely to confuse the users. The shell should be modified to use the KernelLoginModule and therefore use the user names and passwords defined in config/org.eclipse.virgo.kernel.users.properties.
Some guidance is here: http://www.eclipse.org/equinox/incubator/console/user-doc.php
Notes on user authentication in Virgo... The start processing of dmk.sh sets the following system properties: -Djava.security.auth.login.config=$CONFIG_DIR/org.eclipse.virgo.kernel.authentication.config -Dorg.eclipse.virgo.kernel.authentication.file=$CONFIG_DIR/org.eclipse.virgo.kernel.users.properties org.eclipse.virgo.kernel.authentication.config contains the following: virgo-kernel { org.eclipse.virgo.kernel.authentication.KernelLoginModule REQUIRED; }; ... "JAAS Login Configuration File" http://download.oracle.com/javase/1.4.2/docs/guide/security/jaas/tutorials/LoginConfigFile.html describes how an application can authenticate a user and password by constructing a LoginContext passing the name of an entry in the JAAS login configuration file, such as "virgo-kernel", and a callback handler which is used to supply the user name and password to JAAS. KernelLoginModule looks for the system property org.eclipse.virgo.kernel.authentication.file, typically set to point at the file org.eclipse.virgo.kernel.users.properties, and uses it to create a CredentialStore which it uses to authenticate users and passwords. The shipped version of org.eclipse.virgo.kernel.users.properties contains: ################## # User definitions ################## user.admin=springsource ################## # Role definitions ################## role.admin=admin
Notes on shell authentication in Virgo... org.eclipse.virgo.kernel.authentication.config contains the following: ... equinox_console { org.eclipse.equinox.console.jaas.SecureStorageLoginModule REQUIRED; }; dmk.sh sets the following system properties: -Dorg.eclipse.equinox.console.jaas.file="$CONFIG_DIR/store" -Dssh.server.keystore="$CONFIG_DIR/hostkey.ser" (This is only part of the story - see comment 1.)
The shell was initially designed to be able to work standalone, even if the Virgo LoginModule is not present. That is why it provides its own default LoginModule. However, it should be possible to customize it with another LoginModule. I should test if the customization works out-of-the box, as designed. If not, at least it should be possible with minor modifications to enable such customization.
(In reply to comment #4) > The shell was initially designed to be able to work standalone, even if the > Virgo LoginModule is not present. That is why it provides its own default > LoginModule. > > However, it should be possible to customize it with another LoginModule. I > should test if the customization works out-of-the box, as designed. If not, at > least it should be possible with minor modifications to enable such > customization. Thanks Lazar. I tried a quick experiment of declaring equinox_console to use the kernel login module, but that seemed not to make the slightest difference. Reading the doc in comment 1, it seems there are some other configuration tweaks to be made, so rather than rush it in, I thought raising this bug would be more helpful.
(In reply to comment #5) > (In reply to comment #4) > > The shell was initially designed to be able to work standalone, even if the > > Virgo LoginModule is not present. That is why it provides its own default > > LoginModule. > > > > However, it should be possible to customize it with another LoginModule. I > > should test if the customization works out-of-the box, as designed. If not, at > > least it should be possible with minor modifications to enable such > > customization. > > Thanks Lazar. > > I tried a quick experiment of declaring equinox_console to use the kernel login > module, but that seemed not to make the slightest difference. Reading the doc > in comment 1, it seems there are some other configuration tweaks to be made, so > rather than rush it in, I thought raising this bug would be more helpful. Thanks Glyn! I have to check this out - my first idea was that probably setting equinox_console to use the kernel login module will be enough, but obviously it is not. I will debug this to see what goes wrong.
To use the KernelLoginModule do the following: - in config/org.eclipse.virgo.kernel.authentication.config declare equinox_console to use the kernel login module - in lib/org.eclipse.virgo.kernel.launch.properties comment the line osgi.console.ssh.useDefaultSecureStorage=true, or set it to false. After doing this you should be able to log in the ssh console with the virgo user and password.
(In reply to comment #7) > To use the KernelLoginModule do the following: > > - in config/org.eclipse.virgo.kernel.authentication.config declare > equinox_console to use the kernel login > module > > - in lib/org.eclipse.virgo.kernel.launch.properties comment the line > osgi.console.ssh.useDefaultSecureStorage=true, or set it to false. > > After doing this you should be able to log in the ssh console with the virgo > user and password. Great! Thanks Lazar. I propose we make this change for Virgo 3.5 and fix up the documentation to match. Can you see any downside? Regards, Glyn
(In reply to comment #8) > (In reply to comment #7) > > To use the KernelLoginModule do the following: > > > > - in config/org.eclipse.virgo.kernel.authentication.config declare > > equinox_console to use the kernel login > > module > > > > - in lib/org.eclipse.virgo.kernel.launch.properties comment the line > > osgi.console.ssh.useDefaultSecureStorage=true, or set it to false. > > > > After doing this you should be able to log in the ssh console with the virgo > > user and password. > > Great! Thanks Lazar. > > I propose we make this change for Virgo 3.5 and fix up the documentation to > match. > > Can you see any downside? > > Regards, > Glyn I think it is OK to make it so. The intention of the login module of the shell was to use digested passwords. But since Virgo uses other credentials, the shell's login module becomes redundant.
Thanks Lazar!
Fixed in kernel commit d5ca77c.
Document changes in commit 542b738.
