Karaf
  1. Karaf
  2. KARAF-1354

SSH Log-In failes with "Authentication failed" with valid credentials

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.3.0, 3.0.0
    • Component/s: karaf-shell
    • Labels:
      None
    • Environment:

      Windows 7

      Description

      The login via SSH fails using valid credentials due to a bug in the role checking procedure.
      Error message "Authentication failed"

      Log entries in karaf:

      [INFO ] ServerSession - Session created...
      [INFO ] ServerSession - Client version string: SSH-2.0-PuTTY_KiTTY
      [DEBUG] ServerSession - Received packet SSH_MSG_KEXINIT
      [INFO ] ServerSession - Received SSH_MSG_KEXINIT
      [DEBUG] ServerSession - Received packet SSH_MSG_KEXDH_INIT
      [INFO ] AbstractDHGServer - Received SSH_MSG_KEXDH_INIT
      ...
      [INFO ] AbstractDHGServer - Send SSH_MSG_KEXDH_REPLY
      [INFO ] AbstractSession - Send SSH_MSG_NEWKEYS
      [DEBUG] ServerSession - Received packet SSH_MSG_NEWKEYS
      [INFO ] ServerSession - Received SSH_MSG_NEWKEYS
      [DEBUG] ServerSession - Received packet SSH_MSG_IGNORE
      [INFO ] ServerSession - Received SSH_MSG_IGNORE
      [DEBUG] ServerSession - Received packet SSH_MSG_SERVICE_REQUEST
      [INFO ] ServerSession - Received SSH_MSG_SERVICE_REQUEST 'ssh-userauth'
      [INFO ] ServerSession - Accepting user authentication request
      [INFO ] ServerSession - Authorized authentication methods: password,publickey
      [DEBUG] ServerSession - Received packet SSH_MSG_IGNORE
      [INFO ] ServerSession - Received SSH_MSG_IGNORE
      [DEBUG] ServerSession - Received packet SSH_MSG_USERAUTH_REQUEST
      [INFO ] ServerSession - Received SSH_MSG_USERAUTH_REQUEST
      [INFO ] ServerSession - Authenticating user 'karaf' with method 'none'
      [INFO ] ServerSession - Unsupported authentication method 'none'
      [DEBUG] ServerSession - Received packet SSH_MSG_IGNORE
      [INFO ] ServerSession - Received SSH_MSG_IGNORE
      [DEBUG] ServerSession - Received packet SSH_MSG_USERAUTH_REQUEST
      [INFO ] ServerSession - Received SSH_MSG_USERAUTH_REQUEST
      [INFO ] ServerSession - Authenticating user 'karaf' with method 'password'
      [DEBUG] KarafJaasPasswordAuthenticator - User authentication failed with User does not have the required role admin

      javax.security.auth.login.FailedLoginException: User does not have the required role admin
      at org.apache.karaf.shell.ssh.KarafJaasPasswordAuthenticator.authenticate(KarafJaasPasswordAuthenticator.ja
      va:104)[65:org.apache.karaf.shell.ssh:3.0.0.SNAPSHOT]
      at org.apache.sshd.server.auth.UserAuthPassword.checkPassword(UserAuthPassword.java:55)[64:sshd-core:0.6.0]

      at org.apache.sshd.server.auth.UserAuthPassword.auth(UserAuthPassword.java:49)[64:sshd-core:0.6.0]
      at org.apache.sshd.server.session.ServerSession.userAuth(ServerSession.java:388)[64:sshd-core:0.6.0]
      at org.apache.sshd.server.session.ServerSession.handleMessage(ServerSession.java:201)[64:sshd-core:0.6.0]
      at org.apache.sshd.common.session.AbstractSession.decode(AbstractSession.java:538)[64:sshd-core:0.6.0]
      at org.apache.sshd.common.session.AbstractSession.messageReceived(AbstractSession.java:232)[64:sshd-core:0.
      6.0]
      at org.apache.sshd.common.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:58)[64:ssh
      d-core:0.6.0]
      at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.ja
      va:716)[63:org.apache.mina.core:2.0.4]
      at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:
      434)[63:org.apache.mina.core:2.0.4]
      at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)[63:org.a
      pache.mina.core:2.0.4]
      at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.j
      ava:796)[63:org.apache.mina.core:2.0.4]
      at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)[63:org.apache
      .mina.core:2.0.4]
      at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:
      434)[63:org.apache.mina.core:2.0.4]
      at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
      [63:org.apache.mina.core:2.0.4]
      at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:715)[63:org
      .apache.mina.core:2.0.4]
      at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:668)[63:
      org.apache.mina.core:2.0.4]
      at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:657)[63:
      org.apache.mina.core:2.0.4]
      at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68)[6
      3:org.apache.mina.core:2.0.4]
      at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:11
      41)[63:org.apache.mina.core:2.0.4]
      at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)[63:org.apache.mina.core:
      2.0.4]
      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)[:1.6.0_29]
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)[:1.6.0_29]
      at java.lang.Thread.run(Thread.java:662)[:1.6.0_29]
      [INFO ] ServerSession - Authentication failed
      [DEBUG] ServerSession - Received packet SSH_MSG_IGNORE
      [INFO ] ServerSession - Received SSH_MSG_IGNORE

        Activity

        Hide
        Lukas Roedl added a comment -

        The procedure in the KarafJaasPasswordAuthenticator tries to check against org.apache.karaf.jaas.modules.RolePrincipal but the class name seems to have changed to org.apache.karaf.jaas.boot.principal.RolePrincipal

        Show
        Lukas Roedl added a comment - The procedure in the KarafJaasPasswordAuthenticator tries to check against org.apache.karaf.jaas.modules.RolePrincipal but the class name seems to have changed to org.apache.karaf.jaas.boot.principal.RolePrincipal
        Hide
        Lukas Roedl added a comment -

        Changed the class name to org.apache.karaf.jaas.boot.principal.RolePrincipal

        Show
        Lukas Roedl added a comment - Changed the class name to org.apache.karaf.jaas.boot.principal.RolePrincipal
        Hide
        Achim Nierbeck added a comment -

        My bad, missed this when I did the refactoring for KARAF-1305.
        Thanks for spotting it and providing the patch

        Show
        Achim Nierbeck added a comment - My bad, missed this when I did the refactoring for KARAF-1305 . Thanks for spotting it and providing the patch
        Hide
        Jürgen Kindler added a comment -

        Could that be relevant for 2.3.0 as well? (As some other stuff related to authentication as also been ported to 2.3.0 ...)

        Show
        Jürgen Kindler added a comment - Could that be relevant for 2.3.0 as well? (As some other stuff related to authentication as also been ported to 2.3.0 ...)
        Hide
        Jürgen Kindler added a comment -

        As a side remark: It appears strange that KarafJaasPasswordAuthenticator logs such problems only in DEBUG mode. I would expect that such problems are logged at info, if not warning level...

        Show
        Jürgen Kindler added a comment - As a side remark: It appears strange that KarafJaasPasswordAuthenticator logs such problems only in DEBUG mode. I would expect that such problems are logged at info, if not warning level...
        Hide
        Jean-Baptiste Onofré added a comment -
        Show
        Jean-Baptiste Onofré added a comment - Log level changed on karaf-2.3.x: http://svn.apache.org/viewvc?view=revision&revision=1396591
        Hide
        Jean-Baptiste Onofré added a comment -

        FYI, karaf-2.3.x was not affected by this issue (bad class name).

        Show
        Jean-Baptiste Onofré added a comment - FYI, karaf-2.3.x was not affected by this issue (bad class name).
        Hide
        Jean-Baptiste Onofré added a comment -
        Show
        Jean-Baptiste Onofré added a comment - Log level changed on trunk: http://svn.apache.org/viewvc?view=revision&revision=1396594

          People

          • Assignee:
            Jean-Baptiste Onofré
            Reporter:
            Lukas Roedl
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development