From: Thomas Wolf <thomas.wolf@paranor.ch>
Date: Thu, 23 Jun 2022 10:14:37 +0000 (+0200)
Subject: [sshd] Correct signature for RSA keys from an SSH agent
X-Git-Tag: v6.3.0.202208161710-m3~35
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=refs%2Fchanges%2F62%2F194362%2F1;p=jgit.git

[sshd] Correct signature for RSA keys from an SSH agent

Ensure that there is always a list of signature factories in public key
authentication. For keys loaded directly, Apache MINA sshd will use the
(always set) list from the SSH session by default, but for keys from an
SSH agent it won't and instead consider the list set locally on the
UserAuthPublicKey instance. Only that one is null by default, and then
Apache MINA sshd just uses the key type as signature type. Which for
RSA keys from an agent is the "ssh-rsa" signature, i.e., the deprecated
SHA1 signature.

Fix this by explicitly propagating the list from the session to the
UserAuthPublicKey instance if not set already.

Upstream issue is SSHD-1272.[1]

[1] https://issues.apache.org/jira/browse/SSHD-1272

Bug: 580073
Change-Id: Id7a783f19d06c9e7c8494b1fbf7465d392ffc366
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
---

diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java
index 96da0cccdd..e1036c6283 100644
--- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java
+++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2018, 2021 Thomas Wolf <thomas.wolf@paranor.ch> and others
+ * Copyright (C) 2018, 2022 Thomas Wolf <thomas.wolf@paranor.ch> and others
  *
  * This program and the accompanying materials are made available under the
  * terms of the Eclipse Distribution License v. 1.0 which is available at
@@ -99,13 +99,18 @@ public class JGitPublicKeyAuthentication extends UserAuthPublicKey {
 					log.debug(PUBKEY_ACCEPTED_ALGORITHMS + ' ' + signatures);
 				}
 				setSignatureFactoriesNames(signatures);
-			} else {
-				log.warn(format(SshdText.get().configNoKnownAlgorithms,
-						PUBKEY_ACCEPTED_ALGORITHMS, pubkeyAlgos));
+				super.init(session, service);
+				return;
 			}
+			log.warn(format(SshdText.get().configNoKnownAlgorithms,
+					PUBKEY_ACCEPTED_ALGORITHMS, pubkeyAlgos));
+		}
+		// TODO: remove this once we're on an sshd version that has SSHD-1272
+		// fixed
+		List<NamedFactory<Signature>> localFactories = getSignatureFactories();
+		if (localFactories == null || localFactories.isEmpty()) {
+			setSignatureFactoriesNames(session.getSignatureFactoriesNames());
 		}
-		// If we don't set signature factories here, the default ones from the
-		// session will be used.
 		super.init(session, service);
 	}