Summary
- Since the earliest releases JOE offers to use an SFTP connection to read and write job-related files on a remote server with JobScheduler Master, for details see
- Starting from
FEATURE AVAILABILITY STARTING FROM RELEASE 1.12.10
JOE offers use of an increased number of authentication methods, their combination and supports use of an SSH Key Agent.
- JOE-286 - Getting issue details... STATUS
JOE Profile Window
Using the JOE menu options File->FTP/SFTP->Open Directory opens the profile window.
In the profile window select the protocol SFTP from the list box with the same name.
Using the SFTP protocol suggests to specify authentication methods with the SFTP tab of this window.
JOE SFTP Authentication Methods Window
Using the SFTP tab from the Profile Window shows the following tab window:
A user name has to be specified independently from the authentication methods to be used.
Keep in mind that all authentication methods have to be enabled accordingly with the SSH server in use.
If in doubt contact your system administrator to check respective settings in sshd_config and related files.
Two-factor Authentication
if the respective checkbox is checked then the following behavior applies:
- You have to specify both Public / Private Key and one of the Password related authentication methods.
- JOE will forward the private key and the password to the SSH server and both authentication methods have to match.
Which password related authentication method has to be be used (Password or Keyboard Interactive) depends on the SSH server settings.
- The following SSH setting would force both Public / Private Key and Password or Keyboard Interactive authentication:
AuthenticationMethods publickey,password publickey,keyboard-interactive
No two-factor Authentication
If the respective checkbox is unchecked then the following behavior applies:
- You can specify any of the authentication methods Public / Private Key, Password or Keyboard Interactive provided that the authentication method is enabled with the SSH server.
- Should the SSH server be configured to allow a number of alternative authentication methods then the following behavior applies:
- JOE will try to use Private / Public Key authentication and then Password authentication.
- If the private key matches then authentication is completed and no Password authentication is performed.
- Should Public / Private Key authentication fail but subsequent Password authentication be successful then the user is authenticated.
- You can specify none of the authentication methods Public / Private Key, Password or Keyboard Interactive. This configuration is used if the user account does not make use of a password, e.g. for anonymous access.
Public / Private Key related Authentication Methods
Use Key Agent
This method makes use of Public / Private Key authentication and retrieves the private key and optionally its passphrase from an SSH Key Agent.
- The SSH server has to be configured like this:
AuthenticationMethods publickey
- Certainly any additional authentication methods can be specified.
Typically an SSH Key Agent is implemented on top of a credential store or a password manager and would forward credentials if requested by JOE.
- The password manager KeePass offers installation of an SSH Key Agent plugin that suggests a good match for a secure credential store with SSH Key Agent support.
- SOS performs regular tests for use of JobScheduler components with KeePass and Key Agent.
- Other SSH Key Agent products can be used provided that they are compliant with the SSH Key Agent standard.
Use Private Key File
This method makes use of Public / Private Key authentication and retrieves the private key from the file system location that you specify with JOE.
- The SSH server has to be configured like this:
AuthenticationMethods publickey
- Certainly any additional authentication methods can be specified.
Passphrase Interactive
This setting can be used if the private key file is protected by a passphrase.
JOE forces interactive user input to enter the password.
Use Passphrase stored with JOE
This setting can be used if the private key file is protected by a passphrase.
The passphrase is stored with the JOE configuration and is obfuscated but is not encrypted. JOE will automatically use the passphrase, i.e. no user interaction is required.
This method is not considered a secure way to handle passphrases, however, for uncritical environments you might consider this a viable approach.
Password related Authentication Methods
Keyboard Interactive
This method indicates that the password has to be typed from the keyboard, it cannot be stored with JOE.
- The SSH server has to be configured like this:
ChallengeResponseAuthentication yes
Password Interactive
This method indicates that Password authentication is used, however, the password is not stored with JOE but has to be typed interactively.
- The SSH server has to be configured like this:
PasswordAuthentication yes
Password stored with JOE
This method makes use of Password authentication.
- The SSH server has to be configured like this:
PasswordAuthentication yes
The password is stored with the JOE configuration and is obfuscated but is not encrypted. JOE will automatically use the password, i.e. no user interaction is required.
This method is not considered a secure way to handle passwords, however, for uncritical environments you might consider this a viable approach.
Logging
Starting from
FEATURE AVAILABILITY STARTING FROM RELEASE 1.12.10
JOE ships with the ./lib/JOE-log4j.properties configuration file that looks like this, see
SET-177
-
Getting issue details...
STATUS
Explanations:
- Line 1: by default exclusively errors and output to stdout is logged.
- Modify this setting to "
debug, stdout, joe" to receive detailed debug information about SSH key exchange.
- Modify this setting to "
- Line 11: the location of the log file is the
./logsfolder of the JOE configuration directory.