Major Description
I am trying to upload a file via SSH with private key authentication, using the wagon-maven-plugin plugin. The Linux server that is also integrated with Kerberos (which I don't use).
Although I provide a valid privateKey, and I set <preferredAuthentications>publickey</preferredAuthentications>, the Kerberos authentication is always triggered.
While investigating, I have found the following root cause:
In settings.xml, for a <server> you can decide to use SSH key based authentication instead of username/password:
<server>
<id>myserver</id>
<username>bamboo</username>
<privateKey>...path to the file...</privateKey>
<configuration>
<preferredAuthentications>publickey</preferredAuthentications>
</configuration>
</server>
According to the documentation, this authentication option only works if you omit the password element, otherwise privateKey is ignored.
However, if password is omitted, then preferredAuthentications is ignored, as can be seen in AbstractJschWagon.java :: openConnectionInternal (line 254)
if ( authenticationInfo.getPassword() != null ) { config.setProperty( "PreferredAuthentications", preferredAuthentications ); }
Thus, in practice, if you use privateKey based authentication, you cannot control the PreferredAuthentications parameter, and the default value is used: gssapi-with-mic,publickey,password,keyboard-interactive. This triggers Kerberos based authentication as the first option.
A simple patch to solve this issue is to add to the lines above an else branch, like this:
if ( authenticationInfo.getPassword() != null )
{
config.setProperty( "PreferredAuthentications", preferredAuthentications );
}
else if ( !"gssapi-with-mic,publickey,password,keyboard-interactive".equals( preferredAuthentications ) )
{
// if different then the default, always set
config.setProperty( "PreferredAuthentications", preferredAuthentications );
}
or to remove the the surrounding if-statement all-together