J2SSH - Alternative Authentication Methods


J2SSH provides a number of more advanced authentication methods than the standard password authentication. This tutorial covers the following authentication methods:

Public-key Authentication
Keyboard-interactive Authentication
Hostbased Authentication

This tutorial also covers the following related issues:

Getting the banner message from the server

Public-key Authentication

This method of authentication uses public-key cryptography to verify the user's identity. The user can access an account on an SSH server by proving that they possess a private key. The key is authorized if it is contained within the user's authorization file.

J2SSH implements the 'public-key' authentication method with the following class:

import com.sshtools.j2ssh.authentication.PublicKeyAuthenticationClient;

Public-key authentication requires a little more configuration. First you will require a key pair which can be generated using the ssh-keygen tool, located in the bin directory of the J2SSH installation.

C:\sshtools-j2ssh\bin>ssh-keygen -b 1024 -t dsa mykey 

This command creates a 1024 bit DSA key pair and saves the private key as mykey and the public key as mykey.pub. Enter the private key passphrase when prompted or simply press return if you don't want the file encrypted with a passphrase. You will be prompted to confirm again that you don't want any passphrase protecting the private key file.

The ssh-keygen tool outputs the public key file in the IETF-SECSH Public Key file format. This is suitable for most SSH servers, however you may need to convert the file if you are using OpenSSH. You can convert the file using the following command:

C:\sshtools-j2ssh\bin>ssh-keygen -e mykey.pub > mykey.open

This command converts the public key file mykey.pub into a new file mykey.open. Similary, it is possible to convert an OpenSSH file into an IETF-SECSH file using the -e switch. To use this key to gain access to your SSH server, you must configure the server to allow access using the key. Refer to your server documentation on how to configure your specific server, however this normally involves the configuration of an authorization file; either stored in the server installation directory or alternatively in your $USER_HOME/.ssh directory. The following is a typical example of an authorization file:

#SSH Authorization file
key mykey.pub

Once your server is configured you can connect using your newly generated key with the following code:

import com.sshtools.j2ssh.transport.publickey.SshPrivateKey;
import com.sshtools.j2ssh.transport.publickey.SshPrivateKeyFile;
import com.sshtools.j2ssh.transport.publickey.SshtoolsPrivateKeyFormat;
import com.sshtools.j2ssh.transport.publickey.SshPrivateKey;
.. ..
/** * Authenticate using a public key */
PublicKeyAuthenticationClient pk = new PublicKeyAuthenticationClient();
// Get the username System.out.print("Username: "); String username = reader.readLine(); pk.setUsername(username);
// Open up the private key file System.out.print("Path to key: "); String keyfile = reader.readLine(); SshPrivateKeyFile file = SshPrivateKeyFile.parse(new File(keyfile));
// Get the key System.out.print("Enter passphrase: "); String passphrase = reader.readLine(); SshPrivateKey key = file.toPrivateKey(passphrase);
// Set the key and authenticate pk.setKey(key); int result = ssh.authenticate(pk);

For an empty passphrase simply provide a zero length string or null. You can also determine whether a private key file is encrypted by calling the following method on the SshPrivateKeyFile instance.

public boolean isPassphraseProtected();

Back to top

Keyboard-interactive Authentication

The 'keyboard-interactive' method is a general purpose authentication mechanism for the SSH protocol, suitable for interactive authentications where the authentication data should be entered via a keyboard. The goal of this method is to allow an SSH client to support a whole class of authentication mechanisms without knowing the specifics of the actual authentication implemenation. The most common use for this method is to provide password authentication and so this section will assume that the server provides password authentication over keyboard-interactive.

J2SSH implements the keyboard-interactive authentication method with the following class:

import com.sshtools.j2ssh.authentication.KBIAuthenticationClient;

This method works by providing a callback interface to the authentication subsystem so that the server can request information from the user. Any number of prompts are returned with the name of the authentication mechanism and instructions to display to the user.

import com.sshtools.j2ssh.authentication.KBIAuthenticationClient;
import com.sshtools.j2ssh.authentication.KBIPrompt;
import com.sshtools.j2ssh.authentication.KBIRequestHandler;
..
..
/**
* Create the keyboard-interactive instance
*/
KBIAuthenticationClient kbi = new KBIAuthenticationClient();
   
// Set the callback interface
kbi.setKBIRequestHandler(new KBIRequestHandler() {
  public void showPrompts(String name, String instructions, KBIPrompt[] prompts)    {
    // Print out the name and instructions
    System.out.println(name);
    System.out.println(instructions);
   
    // Iterate through the prompts showing one at a time
    String response;
    if(prompts!=null) {
      for(int i=0;i
Back to top

Hostbased Authentication
The hostbased authentication method provides a quick but much less secure method of authenticating on the remote server. An SSH server can be configured to allow a client to authenticate based on the host key of the client computer. Whilst this configuraiton varies according to server implementation, J2SSH implements a simple authentication mechanism for hostbased access, the following code shows how to authenticate using this method.

import com.sshtools.j2ssh.authentication.HostbasedAuthenticationClient;
HostbasedAuthenticationClient hb = new HostbasedAuthenticationClient();
// Get the username
System.out.print("Username: ");
String username = reader.readLine();

hb.setUsername(username);
SshPrivateKeyFile file = SshPrivateKeyFile.parse(
new File("/etc/ssh/server_host_key"));
// Load the host key without a passphrase
hb.setKey(file.toPrivateKey(null));
int result - ss.authenticate(hb);

Back to top

The Authentication Banner Message
After the initial connection has been made, the server may send an authentication banner message which should be shown to the user prior to authentication. Use the getAuthenticationBanner() method to retrieve the banner message. If no message has been received this method returns an empty string.

public String getAuthenticationBanner();

Back to top