diff options
| author | Thomas Wolf <thomas.wolf@paranor.ch> | 2021-03-19 09:35:34 +0100 |
|---|---|---|
| committer | Thomas Wolf <thomas.wolf@paranor.ch> | 2021-03-19 17:28:24 +0100 |
| commit | fd3edc7bfc65f9bdfe785c92c72790261881dd40 (patch) | |
| tree | a0bace2a047603ce40ed087dfba9f2efec753dd5 /org.eclipse.jgit.ssh.apache.test/tst | |
| parent | 6faee128f8930b851d33f1f06cb77b3e1b9a0cc5 (diff) | |
| download | jgit-fd3edc7bfc65f9bdfe785c92c72790261881dd40.tar.gz jgit-fd3edc7bfc65f9bdfe785c92c72790261881dd40.zip | |
sshd: try all configured signature algorithms for a key
For RSA keys, there may be several configured signature algorithms:
rsa-sha2-512, rsa-sha2-256, and ssh-rsa. Upstream sshd has bug
SSHD-1105 [1] and always and unconditionally uses only the first
configured algorithm. With the default order, this means that it cannot
connect to a server that knows only ssh-rsa, like for instance Apache
MINA sshd servers older than 2.6.0.
This affects for instance bitbucket.org or also AWS Code Commit.
Re-introduce our own pubkey authenticator that fixes this.
Note that a server may impose a penalty (back-off delay) for subsequent
authentication attempts with signature algorithms unknown to the server.
In such cases, users can re-order the signature algorithm list via the
PubkeyAcceptedAlgorithms (formerly PubkeyAcceptedKeyTypes) ssh config.
[1] https://issues.apache.org/jira/browse/SSHD-1105
Bug: 572056
Change-Id: I7fb9c759ab6532e5f3b6524e9084085ddb2f30d6
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
Diffstat (limited to 'org.eclipse.jgit.ssh.apache.test/tst')
| -rw-r--r-- | org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java b/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java index 09d048b4fa..c56d2307c6 100644 --- a/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java +++ b/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java @@ -664,4 +664,42 @@ public class ApacheSshTest extends SshTestBase { session.disconnect(); } } + + /** + * Tests that one can log in to an old server that knows only the ssh-rsa + * signature algorithm. The client has by default the list of signature + * algorithms for RSA as "rsa-sha2-512,rsa-sha2-256,ssh-rsa". It should try + * all three with the single key configured, and finally succeed. + * <p> + * The re-ordering mechanism (see + * {@link #testConnectAuthSshRsaPubkeyAcceptedAlgorithms()}) is still + * important; servers may impose a penalty (back-off delay) for subsequent + * attempts with signature algorithms unknown to the server. So a user + * connecting to such a server and noticing delays may still want to put + * ssh-rsa first in the list for that host. + * </p> + * + * @see <a href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=572056">bug + * 572056</a> + * @throws Exception + * on failure + */ + @Test + public void testConnectAuthSshRsa() throws Exception { + try (SshServer oldServer = createServer(TEST_USER, publicKey1)) { + oldServer.setSignatureFactoriesNames("ssh-rsa"); + oldServer.start(); + registerServer(oldServer); + installConfig("Host server", // + "HostName localhost", // + "Port " + oldServer.getPort(), // + "User " + TEST_USER, // + "IdentityFile " + privateKey1.getAbsolutePath()); + RemoteSession session = getSessionFactory().getSession( + new URIish("ssh://server/doesntmatter"), null, FS.DETECTED, + 10000); + assertNotNull(session); + session.disconnect(); + } + } } |