From db4f7dffb78113a6ba7bea35f7a27b6260e31646 Mon Sep 17 00:00:00 2001 From: Thomas Wolf Date: Thu, 23 Jun 2022 12:14:37 +0200 Subject: [PATCH] [sshd] Correct signature for RSA keys from an SSH agent Ensure that there is always a list of signature factories in public key authentication. For keys loaded directly, Apache MINA sshd will use the (always set) list from the SSH session by default, but for keys from an SSH agent it won't and instead consider the list set locally on the UserAuthPublicKey instance. Only that one is null by default, and then Apache MINA sshd just uses the key type as signature type. Which for RSA keys from an agent is the "ssh-rsa" signature, i.e., the deprecated SHA1 signature. Fix this by explicitly propagating the list from the session to the UserAuthPublicKey instance if not set already. Upstream issue is SSHD-1272.[1] [1] https://issues.apache.org/jira/browse/SSHD-1272 Bug: 580073 Change-Id: Id7a783f19d06c9e7c8494b1fbf7465d392ffc366 Signed-off-by: Thomas Wolf --- .../sshd/JGitPublicKeyAuthentication.java | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java index 96da0cccdd..e1036c6283 100644 --- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java +++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2018, 2021 Thomas Wolf and others + * Copyright (C) 2018, 2022 Thomas Wolf and others * * This program and the accompanying materials are made available under the * terms of the Eclipse Distribution License v. 1.0 which is available at @@ -99,13 +99,18 @@ public class JGitPublicKeyAuthentication extends UserAuthPublicKey { log.debug(PUBKEY_ACCEPTED_ALGORITHMS + ' ' + signatures); } setSignatureFactoriesNames(signatures); - } else { - log.warn(format(SshdText.get().configNoKnownAlgorithms, - PUBKEY_ACCEPTED_ALGORITHMS, pubkeyAlgos)); + super.init(session, service); + return; } + log.warn(format(SshdText.get().configNoKnownAlgorithms, + PUBKEY_ACCEPTED_ALGORITHMS, pubkeyAlgos)); + } + // TODO: remove this once we're on an sshd version that has SSHD-1272 + // fixed + List> localFactories = getSignatureFactories(); + if (localFactories == null || localFactories.isEmpty()) { + setSignatureFactoriesNames(session.getSignatureFactoriesNames()); } - // If we don't set signature factories here, the default ones from the - // session will be used. super.init(session, service); } -- 2.39.5