From bd2e85e6ef1194033a2b25637f6c4769c7f82732 Mon Sep 17 00:00:00 2001 From: Florian Zschocke Date: Sat, 14 Jun 2025 11:57:01 +0200 Subject: fix: Prevent premature authentication on failed ssh key challege MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Many thanks to András Veres-Szentkirályi for the report and the support in understanding and finding the issue. --- src/test/java/com/gitblit/tests/SshDaemonTest.java | 65 +++++++++++++++++++++- 1 file changed, 64 insertions(+), 1 deletion(-) (limited to 'src/test/java/com/gitblit/tests/SshDaemonTest.java') diff --git a/src/test/java/com/gitblit/tests/SshDaemonTest.java b/src/test/java/com/gitblit/tests/SshDaemonTest.java index c7d06198..e88dc9bb 100644 --- a/src/test/java/com/gitblit/tests/SshDaemonTest.java +++ b/src/test/java/com/gitblit/tests/SshDaemonTest.java @@ -16,10 +16,12 @@ package com.gitblit.tests; import java.io.File; +import java.security.KeyPair; import java.text.MessageFormat; import java.util.List; import org.apache.sshd.client.SshClient; +import org.apache.sshd.client.future.AuthFuture; import org.apache.sshd.client.session.ClientSession; import org.eclipse.jgit.api.CloneCommand; import org.eclipse.jgit.api.Git; @@ -41,12 +43,73 @@ public class SshDaemonTest extends SshUnitTest { String url = GitBlitSuite.sshDaemonUrl; + @Test + public void testPasswordAuthentication() throws Exception { + SshClient client = getClient(); + ClientSession session = client.connect(username, "localhost", GitBlitSuite.sshPort).verify().getSession(); + + session.addPasswordIdentity(password); + AuthFuture authFuture = session.auth(); + assertTrue(authFuture.await()); + assertTrue(authFuture.isSuccess()); + } + @Test public void testPublicKeyAuthentication() throws Exception { SshClient client = getClient(); ClientSession session = client.connect(username, "localhost", GitBlitSuite.sshPort).verify().getSession(); + session.addPublicKeyIdentity(rwKeyPair); - assertTrue(session.auth().await()); + AuthFuture authFuture = session.auth(); + assertTrue(authFuture.await()); + assertTrue(authFuture.isSuccess()); + } + + @Test + public void testWrongPublicKeyAuthentication() throws Exception { + SshClient client = getClient(); + ClientSession session = client.connect(username, "localhost", GitBlitSuite.sshPort).verify().getSession(); + KeyPair attackKeyPair = generator.generateKeyPair(); + + session.addPublicKeyIdentity(attackKeyPair); + AuthFuture authFuture = session.auth(); + assertTrue(authFuture.await()); + assertFalse(authFuture.isSuccess()); + } + + @Test + public void testWrongPublicKeyThenPasswordAuthentication() throws Exception { + SshClient client = getClient(); + ClientSession session = client.connect(username, "localhost", GitBlitSuite.sshPort).verify().getSession(); + KeyPair otherKeyPair = generator.generateKeyPair(); + + session.addPublicKeyIdentity(otherKeyPair); + AuthFuture authFuture = session.auth(); + assertTrue(authFuture.await()); + assertFalse(authFuture.isSuccess()); + + session.addPasswordIdentity(password); + authFuture = session.auth(); + assertTrue(authFuture.await()); + assertTrue(authFuture.isSuccess()); + } + + @Test + public void testWrongPublicKeyThenWrongPasswordAuthentication() throws Exception { + SshClient client = getClient(); + ClientSession session = client.connect(username, "localhost", GitBlitSuite.sshPort).verify().getSession(); + KeyPair otherKeyPair = generator.generateKeyPair(); + KeyPair attackKeyPair = new KeyPair(rwKeyPair.getPublic(), otherKeyPair.getPrivate()); + + session.addPublicKeyIdentity(attackKeyPair); + AuthFuture authFuture = session.auth(); + assertTrue(authFuture.await()); + assertFalse(authFuture.isSuccess()); + + session.addPasswordIdentity("nothing"); + authFuture = session.auth(); + assertTrue(authFuture.await()); + assertFalse(authFuture.isSuccess()); } @Test -- cgit v1.2.3