summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/main/java/com/gitblit/transport/ssh/SshKrbAuthenticator.java6
-rw-r--r--src/main/java/com/gitblit/transport/ssh/UsernamePasswordAuthenticator.java5
-rw-r--r--src/test/java/com/gitblit/tests/SshDaemonTest.java65
3 files changed, 67 insertions, 9 deletions
diff --git a/src/main/java/com/gitblit/transport/ssh/SshKrbAuthenticator.java b/src/main/java/com/gitblit/transport/ssh/SshKrbAuthenticator.java
index b6d233cf..06444606 100644
--- a/src/main/java/com/gitblit/transport/ssh/SshKrbAuthenticator.java
+++ b/src/main/java/com/gitblit/transport/ssh/SshKrbAuthenticator.java
@@ -54,10 +54,7 @@ public class SshKrbAuthenticator extends GSSAuthenticator {
public boolean validateIdentity(ServerSession session, String identity) {
log.info("identify with kerberos {}", identity);
SshDaemonClient client = session.getAttribute(SshDaemonClient.KEY);
- if (client.getUser() != null) {
- log.info("{} has already authenticated!", identity);
- return true;
- }
+
String username = identity.toLowerCase(Locale.US);
if (stripDomain) {
int p = username.indexOf('@');
@@ -67,6 +64,7 @@ public class SshKrbAuthenticator extends GSSAuthenticator {
}
UserModel user = authManager.authenticate(username);
if (user != null) {
+// TODO: Check if the user was set in the client and if it is the same as this user. Do not allow changing the user during the SSH auth process.
client.setUser(user);
return true;
}
diff --git a/src/main/java/com/gitblit/transport/ssh/UsernamePasswordAuthenticator.java b/src/main/java/com/gitblit/transport/ssh/UsernamePasswordAuthenticator.java
index e9e2d7e1..fa56baa8 100644
--- a/src/main/java/com/gitblit/transport/ssh/UsernamePasswordAuthenticator.java
+++ b/src/main/java/com/gitblit/transport/ssh/UsernamePasswordAuthenticator.java
@@ -45,14 +45,11 @@ public class UsernamePasswordAuthenticator implements PasswordAuthenticator {
@Override
public boolean authenticate(String username, String password, ServerSession session) {
SshDaemonClient client = session.getAttribute(SshDaemonClient.KEY);
- if (client.getUser() != null) {
- log.info("{} has already authenticated!", username);
- return true;
- }
username = username.toLowerCase(Locale.US);
UserModel user = authManager.authenticate(username, password.toCharArray(), null);
if (user != null) {
+// TODO: Check if the user was set in the client and if it is the same as this user. Do not allow changing the user during the SSH auth process.
client.setUser(user);
return true;
}
diff --git a/src/test/java/com/gitblit/tests/SshDaemonTest.java b/src/test/java/com/gitblit/tests/SshDaemonTest.java
index c7d06198..e88dc9bb 100644
--- a/src/test/java/com/gitblit/tests/SshDaemonTest.java
+++ b/src/test/java/com/gitblit/tests/SshDaemonTest.java
@@ -16,10 +16,12 @@
package com.gitblit.tests;
import java.io.File;
+import java.security.KeyPair;
import java.text.MessageFormat;
import java.util.List;
import org.apache.sshd.client.SshClient;
+import org.apache.sshd.client.future.AuthFuture;
import org.apache.sshd.client.session.ClientSession;
import org.eclipse.jgit.api.CloneCommand;
import org.eclipse.jgit.api.Git;
@@ -42,11 +44,72 @@ public class SshDaemonTest extends SshUnitTest {
String url = GitBlitSuite.sshDaemonUrl;
@Test
+ public void testPasswordAuthentication() throws Exception {
+ SshClient client = getClient();
+ ClientSession session = client.connect(username, "localhost", GitBlitSuite.sshPort).verify().getSession();
+
+ session.addPasswordIdentity(password);
+ AuthFuture authFuture = session.auth();
+ assertTrue(authFuture.await());
+ assertTrue(authFuture.isSuccess());
+ }
+
+ @Test
public void testPublicKeyAuthentication() throws Exception {
SshClient client = getClient();
ClientSession session = client.connect(username, "localhost", GitBlitSuite.sshPort).verify().getSession();
+
session.addPublicKeyIdentity(rwKeyPair);
- assertTrue(session.auth().await());
+ AuthFuture authFuture = session.auth();
+ assertTrue(authFuture.await());
+ assertTrue(authFuture.isSuccess());
+ }
+
+ @Test
+ public void testWrongPublicKeyAuthentication() throws Exception {
+ SshClient client = getClient();
+ ClientSession session = client.connect(username, "localhost", GitBlitSuite.sshPort).verify().getSession();
+ KeyPair attackKeyPair = generator.generateKeyPair();
+
+ session.addPublicKeyIdentity(attackKeyPair);
+ AuthFuture authFuture = session.auth();
+ assertTrue(authFuture.await());
+ assertFalse(authFuture.isSuccess());
+ }
+
+ @Test
+ public void testWrongPublicKeyThenPasswordAuthentication() throws Exception {
+ SshClient client = getClient();
+ ClientSession session = client.connect(username, "localhost", GitBlitSuite.sshPort).verify().getSession();
+ KeyPair otherKeyPair = generator.generateKeyPair();
+
+ session.addPublicKeyIdentity(otherKeyPair);
+ AuthFuture authFuture = session.auth();
+ assertTrue(authFuture.await());
+ assertFalse(authFuture.isSuccess());
+
+ session.addPasswordIdentity(password);
+ authFuture = session.auth();
+ assertTrue(authFuture.await());
+ assertTrue(authFuture.isSuccess());
+ }
+
+ @Test
+ public void testWrongPublicKeyThenWrongPasswordAuthentication() throws Exception {
+ SshClient client = getClient();
+ ClientSession session = client.connect(username, "localhost", GitBlitSuite.sshPort).verify().getSession();
+ KeyPair otherKeyPair = generator.generateKeyPair();
+ KeyPair attackKeyPair = new KeyPair(rwKeyPair.getPublic(), otherKeyPair.getPrivate());
+
+ session.addPublicKeyIdentity(attackKeyPair);
+ AuthFuture authFuture = session.auth();
+ assertTrue(authFuture.await());
+ assertFalse(authFuture.isSuccess());
+
+ session.addPasswordIdentity("nothing");
+ authFuture = session.auth();
+ assertTrue(authFuture.await());
+ assertFalse(authFuture.isSuccess());
}
@Test
generated by cgit v1.2.3 (git 2.39.1) at 2025-06-18 05:59:04 +0000