Apache MINA sshd client: respect NumberOfPasswordPrompts

Set the internal property on the session as defined in the ssh config.

Note that NumberOfPasswordPrompts in openssh applies independently to
both user logins in keyboard-interactive authentication _and_ to
passphrases for identity files (encrypted keys). Apache MINA sshd uses
the setting only for keyboard-interactive authentication, but not for
identity file passphrase prompts. For identity files, it asks exactly
once. This has been reported as issue SSHD-850 upstream.[1]

[1] https://issues.apache.org/jira/browse/SSHD-850

Bug: 520927
Change-Id: I390ffe9e1c52b96d3e8e28fd8edbdc73dde9edb4
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>

diff --git a/org.eclipse.jgit.ssh.apache/resources/org/eclipse/jgit/internal/transport/sshd/SshdText.properties b/org.eclipse.jgit.ssh.apache/resources/org/eclipse/jgit/internal/transport/sshd/SshdText.properties
index 963e3d95facd975db14ad557df6df3f4a7745d50..0dc8ecc9a663396d265cb319f30d33d4ba0b6ca3 100644 (file)
--- a/org.eclipse.jgit.ssh.apache/resources/org/eclipse/jgit/internal/transport/sshd/SshdText.properties
+++ b/org.eclipse.jgit.ssh.apache/resources/org/eclipse/jgit/internal/transport/sshd/SshdText.properties
@@ -1,6 +1,7 @@
 authenticationCanceled=Authentication canceled: no password
 closeListenerFailed=Ssh session close listener failed
 configInvalidPath=Invalid path in ssh config key {0}: {1}
+configInvalidPositive=Ssh config entry {0} must be a strictly positive number but is ''{1}''
 ftpCloseFailed=Closing the SFTP channel failed
 gssapiFailure=GSS-API error for mechanism OID {0}
 gssapiInitFailure=GSS-API initialization failure for mechanism {0}

diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitSshClient.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitSshClient.java
index 2d8a6361caf1851ca7dc0c8f9fab62f982ef7657..36e448623287ce063fcb39002e43aa6976a1edf2 100644 (file)
--- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitSshClient.java
+++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitSshClient.java
@@ -43,6 +43,7 @@
 package org.eclipse.jgit.internal.transport.sshd;
 
 import static java.text.MessageFormat.format;
+import static org.eclipse.jgit.internal.transport.ssh.OpenSshConfigFile.positive;
 
 import java.io.IOException;
 import java.net.InetSocketAddress;
@@ -183,6 +184,9 @@ public class JGitSshClient extends SshClient {
                if (session.getCredentialsProvider() == null) {
                        session.setCredentialsProvider(getCredentialsProvider());
                }
+               int numberOfPasswordPrompts = getNumberOfPasswordPrompts(hostConfig);
+               session.getProperties().put(PASSWORD_PROMPTS,
+                               Integer.valueOf(numberOfPasswordPrompts));
                FileKeyPairProvider ourConfiguredKeysProvider = null;
                List<Path> identities = hostConfig.getIdentities().stream()
                                .map(s -> {
@@ -213,6 +217,23 @@ public class JGitSshClient extends SshClient {
                return session;
        }
 
+       private int getNumberOfPasswordPrompts(HostConfigEntry hostConfig) {
+               String prompts = hostConfig
+                               .getProperty(SshConstants.NUMBER_OF_PASSWORD_PROMPTS);
+               if (prompts != null) {
+                       prompts = prompts.trim();
+                       int value = positive(prompts);
+                       if (value > 0) {
+                               return value;
+                       }
+                       log.warn(format(SshdText.get().configInvalidPositive,
+                                       SshConstants.NUMBER_OF_PASSWORD_PROMPTS, prompts));
+               }
+               // Default for NumberOfPasswordPrompts according to
+               // https://man.openbsd.org/ssh_config
+               return 3;
+       }
+
        /**
         * Set a cache for loaded keys. Newly discovered keys will be added when
         * IdentityFile host entries from the ssh config file are used during

diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/SshdText.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/SshdText.java
index 75f88423611fc918d169d093641f8715a8156889..865a8ebaa264191efd06922e9c4f5db99089a651 100644 (file)
--- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/SshdText.java
+++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/SshdText.java
@@ -21,6 +21,7 @@ public final class SshdText extends TranslationBundle {
        /***/ public String authenticationCanceled;
        /***/ public String closeListenerFailed;
        /***/ public String configInvalidPath;
+       /***/ public String configInvalidPositive;
        /***/ public String ftpCloseFailed;
        /***/ public String gssapiFailure;
        /***/ public String gssapiInitFailure;