diff options
| author | Florian Zschocke <f.zschocke+git@gmail.com> | 2025-06-14 11:57:01 +0200 |
|---|---|---|
| committer | Florian Zschocke <f.zschocke+git@gmail.com> | 2025-06-14 11:57:01 +0200 |
| commit | bd2e85e6ef1194033a2b25637f6c4769c7f82732 (patch) | |
| tree | 8f68dcb496a1a76547521a48f1d0907f75ac376c /src/test/java/com/gitblit/tests/SshDaemonTest.java | |
| parent | ad6c6b2816da45f34ba1d54d2e55f2af86adfe92 (diff) | |
| download | gitblit-bd2e85e6ef1194033a2b25637f6c4769c7f82732.tar.gz gitblit-bd2e85e6ef1194033a2b25637f6c4769c7f82732.zip | |
fix: Prevent premature authentication on failed ssh key challege
Many thanks to András Veres-Szentkirályi for the report and the support
in understanding and finding the issue.
Diffstat (limited to 'src/test/java/com/gitblit/tests/SshDaemonTest.java')
| -rw-r--r-- | src/test/java/com/gitblit/tests/SshDaemonTest.java | 65 |
1 files changed, 64 insertions, 1 deletions
diff --git a/src/test/java/com/gitblit/tests/SshDaemonTest.java b/src/test/java/com/gitblit/tests/SshDaemonTest.java index c7d06198..e88dc9bb 100644 --- a/src/test/java/com/gitblit/tests/SshDaemonTest.java +++ b/src/test/java/com/gitblit/tests/SshDaemonTest.java @@ -16,10 +16,12 @@ package com.gitblit.tests; import java.io.File; +import java.security.KeyPair; import java.text.MessageFormat; import java.util.List; import org.apache.sshd.client.SshClient; +import org.apache.sshd.client.future.AuthFuture; import org.apache.sshd.client.session.ClientSession; import org.eclipse.jgit.api.CloneCommand; import org.eclipse.jgit.api.Git; @@ -42,11 +44,72 @@ public class SshDaemonTest extends SshUnitTest { String url = GitBlitSuite.sshDaemonUrl; @Test + public void testPasswordAuthentication() throws Exception { + SshClient client = getClient(); + ClientSession session = client.connect(username, "localhost", GitBlitSuite.sshPort).verify().getSession(); + + session.addPasswordIdentity(password); + AuthFuture authFuture = session.auth(); + assertTrue(authFuture.await()); + assertTrue(authFuture.isSuccess()); + } + + @Test public void testPublicKeyAuthentication() throws Exception { SshClient client = getClient(); ClientSession session = client.connect(username, "localhost", GitBlitSuite.sshPort).verify().getSession(); + session.addPublicKeyIdentity(rwKeyPair); - assertTrue(session.auth().await()); + AuthFuture authFuture = session.auth(); + assertTrue(authFuture.await()); + assertTrue(authFuture.isSuccess()); + } + + @Test + public void testWrongPublicKeyAuthentication() throws Exception { + SshClient client = getClient(); + ClientSession session = client.connect(username, "localhost", GitBlitSuite.sshPort).verify().getSession(); + KeyPair attackKeyPair = generator.generateKeyPair(); + + session.addPublicKeyIdentity(attackKeyPair); + AuthFuture authFuture = session.auth(); + assertTrue(authFuture.await()); + assertFalse(authFuture.isSuccess()); + } + + @Test + public void testWrongPublicKeyThenPasswordAuthentication() throws Exception { + SshClient client = getClient(); + ClientSession session = client.connect(username, "localhost", GitBlitSuite.sshPort).verify().getSession(); + KeyPair otherKeyPair = generator.generateKeyPair(); + + session.addPublicKeyIdentity(otherKeyPair); + AuthFuture authFuture = session.auth(); + assertTrue(authFuture.await()); + assertFalse(authFuture.isSuccess()); + + session.addPasswordIdentity(password); + authFuture = session.auth(); + assertTrue(authFuture.await()); + assertTrue(authFuture.isSuccess()); + } + + @Test + public void testWrongPublicKeyThenWrongPasswordAuthentication() throws Exception { + SshClient client = getClient(); + ClientSession session = client.connect(username, "localhost", GitBlitSuite.sshPort).verify().getSession(); + KeyPair otherKeyPair = generator.generateKeyPair(); + KeyPair attackKeyPair = new KeyPair(rwKeyPair.getPublic(), otherKeyPair.getPrivate()); + + session.addPublicKeyIdentity(attackKeyPair); + AuthFuture authFuture = session.auth(); + assertTrue(authFuture.await()); + assertFalse(authFuture.isSuccess()); + + session.addPasswordIdentity("nothing"); + authFuture = session.auth(); + assertTrue(authFuture.await()); + assertFalse(authFuture.isSuccess()); } @Test |