Community
Participate
Working Groups
The new Equinox SSH console is based on SSHD and allows secure connections using SSH. The nice thing of SSH is key based authentication. A common format to specify allowed keys is using an 'authorized_keys' file as typically found on Unix systems. It should be possible to feed the SSH server with such a file in order to allow login using a key.
I pushed the first attempt here: https://github.com/eclipseguru/rt.equinox.bundles/tree/ssh_authorized_keys If a system property 'ssh.server.authorized_keys' is specified it may point to a file which contains a list of keys that are allowed to connect to the SSH console. The file will be read every time a connection is made so that it can be modified dynamically at runtime.
The commit to pull is: https://github.com/eclipseguru/rt.equinox.bundles/commit/c182c5bc903bb81e55b01d2797a9d70220dd24e2 I wrote all this code and have the rights to contribute it to Eclipse under the eclipse.org web site terms of use.
(In reply to comment #2) > The commit to pull is: > https://github.com/eclipseguru/rt.equinox.bundles/commit/c182c5bc903bb81e55b01d2797a9d70220dd24e2 > > I wrote all this code and have the rights to contribute it to Eclipse under the > eclipse.org web site terms of use. Thanks a lot for the contribution, Gunnar! This certainly will make usage of the ssh easier. I just submitted it to the original project with commit http://git.eclipse.org/c/equinox/rt.equinox.bundles.git/commit/?id=9feee7d4bc2425d1592b49ebd2d91f7964bc5c28 Could you also provide a test for the feature?
Does this now allow login without the jaas stuff?
(In reply to comment #4) > Does this now allow login without the jaas stuff? Yes. Currently it accepts anything as username as long as a matching SSH key is specified in the file.
Lazar, I have two more commits which improve the extensibility of the SSH console. Any bundle (with sufficient permission) may provide an authenticator by registering an OSGi service. If no specific authorized_keys file is configured (via system property) the OSGi service registry will be searched for available authenticators. https://github.com/eclipseguru/rt.equinox.bundles/commit/ec7d1c4ae60bdf65ebd53596e8142a27b80c6da5 https://github.com/eclipseguru/rt.equinox.bundles/commit/193b9e948d8d2134bd62b24c751a62f714d8c4b5 Let me know if you have any questions.
(In reply to comment #6) > Lazar, > > I have two more commits which improve the extensibility of the SSH console. > > Any bundle (with sufficient permission) may provide an authenticator by > registering an OSGi service. If no specific authorized_keys file is configured > (via system property) the OSGi service registry will be searched for available > authenticators. > > https://github.com/eclipseguru/rt.equinox.bundles/commit/ec7d1c4ae60bdf65ebd53596e8142a27b80c6da5 > https://github.com/eclipseguru/rt.equinox.bundles/commit/193b9e948d8d2134bd62b24c751a62f714d8c4b5 > > Let me know if you have any questions. Thanks Gunnar, Contribution submitted with commit http://git.eclipse.org/c/equinox/rt.equinox.bundles.git/commit/?id=f8ceac0dbadd22dc7e587d0bc1cb0505e9fc4a93 Lazar
Currently if no authorized_keys file is specified, the ssh console always searches for registered authenticator services for custom public keys authentication. I changed this behavior so that the console now searches for registered authenticator services only if explicitly specified by setting ssh.custom.publickeys.auth=true. Added with commit http://git.eclipse.org/c/equinox/rt.equinox.bundles.git/commit/?id=b7f03fdfb8b04a9dbe8f40a7e7b5316b17c77801
(In reply to comment #8) > Currently if no authorized_keys file is specified, the ssh console always > searches for registered authenticator services for custom public keys > authentication. I changed this behavior so that the console now searches for > registered authenticator services only if explicitly specified by setting > ssh.custom.publickeys.auth=true. +1 The behavior doesn't need to be enabled by default. Having this optional is a good idea (as we discussed at EclipseCon).
Created attachment 213730 [details] Patch containing documentation for the fix.
(In reply to comment #10) > Created attachment 213730 [details] > Patch containing documentation for the fix. Tom, could you apply this documentation patch?
(In reply to comment #11) > (In reply to comment #10) > > Created attachment 213730 [details] > > Patch containing documentation for the fix. > > Tom, could you apply this documentation patch? hmmm, unfortunately my id no longer can commit to this repo. I opened a bug with the foundation to get this fixed.
(In reply to comment #11) > (In reply to comment #10) > > Created attachment 213730 [details] > > Patch containing documentation for the fix. > > Tom, could you apply this documentation patch? Done. http://git.eclipse.org/c/platform/eclipse.platform.common.git/commit/?id=a98ae21883ced8728a00619dfba38a0c89599543 Closing as fixed.
