summaryrefslogtreecommitdiffstats
path: root/org.eclipse.jgit.ssh.apache.test
diff options
context:
space:
mode:
authorThomas Wolf <thomas.wolf@paranor.ch>2021-06-29 22:57:09 +0200
committerThomas Wolf <thomas.wolf@paranor.ch>2021-07-16 08:45:23 +0200
commit27a1fa1872da9d0da9147941aa6b372dee48cefb (patch)
tree2b5b57e15628ae381371d38325e8a23d6e909fd9 /org.eclipse.jgit.ssh.apache.test
parent1e391d47bad6e18cc5c3f87041e562c3f18a35c7 (diff)
downloadjgit-27a1fa1872da9d0da9147941aa6b372dee48cefb.tar.gz
jgit-27a1fa1872da9d0da9147941aa6b372dee48cefb.zip
[sshd] Implement SSH config KexAlgorithms
Make the used KEX algorithms configurable via the ssh config. Also implement adding algorithms not in the default set: since sshd 2.6.0 deprecated SHA1-based algorithms, it is possible that the default set has not all available algorithms, so adding algorithms makes sense. This enables users who have to use a git server that only supports old SHA1-based key exchange methods to enable those methods in the ssh config: KexAlgorithms +diffie-hellman-group1-sha1 There are two more SHA1 algorithms that are not enabled by default: diffie-hellman-group14-sha1 and diffie-hellman-group-exchange-sha1. KeyAlgorithms accepts a comma-separated list of algorithm names. Since adding algorithms is now supported, adapt the handling of signature algorithms, too. Make sure that definitions for the KEX exchange signature (HostKeyAlgorithms) don't conflict with the definition for signatures for pubkey auth (PubkeyAcceptedAlgorithms). HostKeyAlgorithms updates the signature factories set on the session to include the default factories plus any that might have been added via the SSH config. Move the handling of PubkeyAcceptedAlgorithms from the client to the JGitPubkeyAuthentication, where it can be done only if pubkey auth is attempted at all and where it can store its adapted list of factories locally. Bug: 574636 Change-Id: Ia5d5f174bbc8e5b41e10ec2c25216d861174e7c3 Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
Diffstat (limited to 'org.eclipse.jgit.ssh.apache.test')
-rw-r--r--org.eclipse.jgit.ssh.apache.test/META-INF/MANIFEST.MF1
-rw-r--r--org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java43
2 files changed, 44 insertions, 0 deletions
diff --git a/org.eclipse.jgit.ssh.apache.test/META-INF/MANIFEST.MF b/org.eclipse.jgit.ssh.apache.test/META-INF/MANIFEST.MF
index ddb475dc13..1ac8faaa41 100644
--- a/org.eclipse.jgit.ssh.apache.test/META-INF/MANIFEST.MF
+++ b/org.eclipse.jgit.ssh.apache.test/META-INF/MANIFEST.MF
@@ -12,6 +12,7 @@ Import-Package: org.apache.sshd.client.config.hosts;version="[2.7.0,2.8.0)",
org.apache.sshd.common.auth;version="[2.7.0,2.8.0)",
org.apache.sshd.common.config.keys;version="[2.7.0,2.8.0)",
org.apache.sshd.common.helpers;version="[2.7.0,2.8.0)",
+ org.apache.sshd.common.kex;version="[2.7.0,2.8.0)",
org.apache.sshd.common.keyprovider;version="[2.7.0,2.8.0)",
org.apache.sshd.common.session;version="[2.7.0,2.8.0)",
org.apache.sshd.common.signature;version="[2.7.0,2.8.0)",
diff --git a/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java b/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java
index c56d2307c6..c1f5fef3cd 100644
--- a/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java
+++ b/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java
@@ -34,13 +34,18 @@ import java.util.stream.Collectors;
import org.apache.sshd.client.config.hosts.KnownHostEntry;
import org.apache.sshd.client.config.hosts.KnownHostHashValue;
+import org.apache.sshd.common.NamedFactory;
import org.apache.sshd.common.config.keys.AuthorizedKeyEntry;
import org.apache.sshd.common.config.keys.KeyUtils;
import org.apache.sshd.common.config.keys.PublicKeyEntry;
import org.apache.sshd.common.config.keys.PublicKeyEntryResolver;
+import org.apache.sshd.common.kex.BuiltinDHFactories;
+import org.apache.sshd.common.kex.DHFactory;
+import org.apache.sshd.common.kex.KeyExchangeFactory;
import org.apache.sshd.common.session.Session;
import org.apache.sshd.common.util.net.SshdSocketAddress;
import org.apache.sshd.server.ServerAuthenticationManager;
+import org.apache.sshd.server.ServerBuilder;
import org.apache.sshd.server.SshServer;
import org.apache.sshd.server.forward.StaticDecisionForwardingFilter;
import org.eclipse.jgit.api.Git;
@@ -702,4 +707,42 @@ public class ApacheSshTest extends SshTestBase {
session.disconnect();
}
}
+
+ /**
+ * Tests that one can log in at an even poorer server that also only has the
+ * SHA1 KEX methods available. Apparently this is the case for at least some
+ * Microsoft TFS instances. The user has to enable the poor KEX methods in
+ * the ssh config explicitly; we don't enable them by default.
+ *
+ * @throws Exception
+ * on failure
+ */
+ @Test
+ public void testConnectOnlyRsaSha1() throws Exception {
+ try (SshServer oldServer = createServer(TEST_USER, publicKey1)) {
+ oldServer.setSignatureFactoriesNames("ssh-rsa");
+ List<DHFactory> sha1Factories = BuiltinDHFactories
+ .parseDHFactoriesList(
+ "diffie-hellman-group1-sha1,diffie-hellman-group14-sha1")
+ .getParsedFactories();
+ assertEquals(2, sha1Factories.size());
+ List<KeyExchangeFactory> kexFactories = NamedFactory
+ .setUpTransformedFactories(true, sha1Factories,
+ ServerBuilder.DH2KEX);
+ oldServer.setKeyExchangeFactories(kexFactories);
+ oldServer.start();
+ registerServer(oldServer);
+ installConfig("Host server", //
+ "HostName localhost", //
+ "Port " + oldServer.getPort(), //
+ "User " + TEST_USER, //
+ "IdentityFile " + privateKey1.getAbsolutePath(), //
+ "KexAlgorithms +diffie-hellman-group1-sha1");
+ RemoteSession session = getSessionFactory().getSession(
+ new URIish("ssh://server/doesntmatter"), null, FS.DETECTED,
+ 10000);
+ assertNotNull(session);
+ session.disconnect();
+ }
+ }
}