source.dussan.org Git - jgit.git/commit

author	Thomas Wolf <thomas.wolf@paranor.ch>
	Fri, 19 Mar 2021 08:35:34 +0000 (09:35 +0100)
committer	Thomas Wolf <thomas.wolf@paranor.ch>
	Fri, 19 Mar 2021 16:28:24 +0000 (17:28 +0100)
commit	fd3edc7bfc65f9bdfe785c92c72790261881dd40
tree	a0bace2a047603ce40ed087dfba9f2efec753dd5	tree \| snapshot
parent	6faee128f8930b851d33f1f06cb77b3e1b9a0cc5	commit \| diff

sshd: try all configured signature algorithms for a key

For RSA keys, there may be several configured signature algorithms:
rsa-sha2-512, rsa-sha2-256, and ssh-rsa. Upstream sshd has bug
SSHD-1105 [1] and always and unconditionally uses only the first
configured algorithm. With the default order, this means that it cannot
connect to a server that knows only ssh-rsa, like for instance Apache
MINA sshd servers older than 2.6.0.

This affects for instance bitbucket.org or also AWS Code Commit.

Re-introduce our own pubkey authenticator that fixes this.

Note that a server may impose a penalty (back-off delay) for subsequent
authentication attempts with signature algorithms unknown to the server.
In such cases, users can re-order the signature algorithm list via the
PubkeyAcceptedAlgorithms (formerly PubkeyAcceptedKeyTypes) ssh config.

[1] https://issues.apache.org/jira/browse/SSHD-1105

Bug: 572056
Change-Id: I7fb9c759ab6532e5f3b6524e9084085ddb2f30d6
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>

org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java		diff \| blob \| history
org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthFactory.java	[new file with mode: 0644]	blob
org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java	[new file with mode: 0644]	blob
org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/SshdSessionFactory.java		diff \| blob \| history