diff options
author | Thomas Wolf <thomas.wolf@paranor.ch> | 2021-03-18 21:16:48 +0100 |
---|---|---|
committer | Thomas Wolf <thomas.wolf@paranor.ch> | 2021-03-19 17:27:03 +0100 |
commit | ffc1f9b02618a59ee72298e9af15f64fe157fa8a (patch) | |
tree | e84cb42ffa06acbaa78a721d3e4ad465555cf78a /org.eclipse.jgit.ssh.apache.test | |
parent | e5aa53fec99bb7ec45442ab3d0ba58e1d52ee248 (diff) | |
download | jgit-ffc1f9b02618a59ee72298e9af15f64fe157fa8a.tar.gz jgit-ffc1f9b02618a59ee72298e9af15f64fe157fa8a.zip |
sshd: implement ssh config PubkeyAcceptedAlgorithms
Apache MINA sshd 2.6.0 appears to use only the first appropriate
public key signature algorithm for a particular key. See [1]. For
RSA keys, that is rsa-sha2-512. This breaks authentication at servers
that only know the older (and deprecated) ssh-rsa algorithm.
With PubkeyAcceptedAlgorithms, users can re-order algorithms in
the ssh config file per host, if needed. Setting
PubkeyAcceptedAlgorithms ^ssh-rsa
will put "ssh-rsa" at the front of the list of algorithms, and then
authentication at such servers with RSA keys works again.
[1] https://issues.apache.org/jira/browse/SSHD-1105
Bug: 572056
Change-Id: I86c3b93f05960c68936e80642965815926bb2532
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
Diffstat (limited to 'org.eclipse.jgit.ssh.apache.test')
3 files changed, 86 insertions, 25 deletions
diff --git a/org.eclipse.jgit.ssh.apache.test/META-INF/MANIFEST.MF b/org.eclipse.jgit.ssh.apache.test/META-INF/MANIFEST.MF index 30eb2bf8b6..b035453529 100644 --- a/org.eclipse.jgit.ssh.apache.test/META-INF/MANIFEST.MF +++ b/org.eclipse.jgit.ssh.apache.test/META-INF/MANIFEST.MF @@ -14,6 +14,7 @@ Import-Package: org.apache.sshd.client.config.hosts;version="[2.6.0,2.7.0)", org.apache.sshd.common.helpers;version="[2.6.0,2.7.0)", org.apache.sshd.common.keyprovider;version="[2.6.0,2.7.0)", org.apache.sshd.common.session;version="[2.6.0,2.7.0)", + org.apache.sshd.common.signature;version="[2.6.0,2.7.0)", org.apache.sshd.common.util.net;version="[2.6.0,2.7.0)", org.apache.sshd.common.util.security;version="[2.6.0,2.7.0)", org.apache.sshd.core;version="[2.6.0,2.7.0)", diff --git a/org.eclipse.jgit.ssh.apache.test/build.properties b/org.eclipse.jgit.ssh.apache.test/build.properties index 9ffa0caf78..406c5a768f 100644 --- a/org.eclipse.jgit.ssh.apache.test/build.properties +++ b/org.eclipse.jgit.ssh.apache.test/build.properties @@ -3,3 +3,5 @@ output.. = bin/ bin.includes = META-INF/,\ .,\ plugin.properties +additional.bundles = org.apache.log4j,\ + org.slf4j.binding.log4j12 diff --git a/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java b/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java index 97f97f9028..09d048b4fa 100644 --- a/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java +++ b/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java @@ -47,7 +47,9 @@ import org.eclipse.jgit.api.Git; import org.eclipse.jgit.api.errors.TransportException; import org.eclipse.jgit.junit.ssh.SshTestBase; import org.eclipse.jgit.lib.Constants; +import org.eclipse.jgit.transport.RemoteSession; import org.eclipse.jgit.transport.SshSessionFactory; +import org.eclipse.jgit.transport.URIish; import org.eclipse.jgit.util.FS; import org.junit.Test; import org.junit.experimental.theories.Theories; @@ -232,64 +234,89 @@ public class ApacheSshTest extends SshTestBase { } /** - * Creates a simple proxy server. Accepts only publickey authentication from - * the given user with the given key, allows all forwardings. Adds the - * proxy's host key to {@link #knownHosts}. + * Creates a simple SSH server without git setup. * * @param user * to accept * @param userKey * public key of that user at this server - * @param report - * single-element array to report back the forwarded address. - * @return the started server + * @return the {@link SshServer}, not yet started * @throws Exception */ - private SshServer createProxy(String user, File userKey, - SshdSocketAddress[] report) throws Exception { - SshServer proxy = SshServer.setUpDefaultServer(); + private SshServer createServer(String user, File userKey) throws Exception { + SshServer srv = SshServer.setUpDefaultServer(); // Give the server its own host key KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA"); generator.initialize(2048); KeyPair proxyHostKey = generator.generateKeyPair(); - proxy.setKeyPairProvider( + srv.setKeyPairProvider( session -> Collections.singletonList(proxyHostKey)); // Allow (only) publickey authentication - proxy.setUserAuthFactories(Collections.singletonList( + srv.setUserAuthFactories(Collections.singletonList( ServerAuthenticationManager.DEFAULT_USER_AUTH_PUBLIC_KEY_FACTORY)); // Install the user's public key PublicKey userProxyKey = AuthorizedKeyEntry .readAuthorizedKeys(userKey.toPath()).get(0) .resolvePublicKey(null, PublicKeyEntryResolver.IGNORING); - proxy.setPublickeyAuthenticator( + srv.setPublickeyAuthenticator( (userName, publicKey, session) -> user.equals(userName) && KeyUtils.compareKeys(userProxyKey, publicKey)); - // Allow forwarding - proxy.setForwardingFilter(new StaticDecisionForwardingFilter(true) { + return srv; + } - @Override - protected boolean checkAcceptance(String request, Session session, - SshdSocketAddress target) { - report[0] = target; - return super.checkAcceptance(request, session, target); - } - }); - proxy.start(); + /** + * Writes the server's host key to our knownhosts file. + * + * @param srv to register + * @throws Exception + */ + private void registerServer(SshServer srv) throws Exception { // Add the proxy's host key to knownhosts try (BufferedWriter writer = Files.newBufferedWriter( knownHosts.toPath(), StandardCharsets.US_ASCII, StandardOpenOption.WRITE, StandardOpenOption.APPEND)) { writer.append('\n'); KnownHostHashValue.appendHostPattern(writer, "localhost", - proxy.getPort()); + srv.getPort()); writer.append(','); KnownHostHashValue.appendHostPattern(writer, "127.0.0.1", - proxy.getPort()); + srv.getPort()); writer.append(' '); PublicKeyEntry.appendPublicKeyEntry(writer, - proxyHostKey.getPublic()); + srv.getKeyPairProvider().loadKeys(null).iterator().next().getPublic()); writer.append('\n'); } + } + + /** + * Creates a simple proxy server. Accepts only publickey authentication from + * the given user with the given key, allows all forwardings. Adds the + * proxy's host key to {@link #knownHosts}. + * + * @param user + * to accept + * @param userKey + * public key of that user at this server + * @param report + * single-element array to report back the forwarded address. + * @return the started server + * @throws Exception + */ + private SshServer createProxy(String user, File userKey, + SshdSocketAddress[] report) throws Exception { + SshServer proxy = createServer(user, userKey); + // Allow forwarding + proxy.setForwardingFilter(new StaticDecisionForwardingFilter(true) { + + @Override + protected boolean checkAcceptance(String request, Session session, + SshdSocketAddress target) { + report[0] = target; + return super.checkAcceptance(request, session, target); + } + }); + proxy.start(); + registerServer(proxy); return proxy; } @@ -606,4 +633,35 @@ public class ApacheSshTest extends SshTestBase { } } } + + /** + * Tests that one can log in to an old server that doesn't handle + * rsa-sha2-512 if one puts ssh-rsa first in the client's list of public key + * signature algorithms. + * + * @see <a href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=572056">bug + * 572056</a> + * @throws Exception + * on failure + */ + @Test + public void testConnectAuthSshRsaPubkeyAcceptedAlgorithms() + throws Exception { + try (SshServer oldServer = createServer(TEST_USER, publicKey1)) { + oldServer.setSignatureFactoriesNames("ssh-rsa"); + oldServer.start(); + registerServer(oldServer); + installConfig("Host server", // + "HostName localhost", // + "Port " + oldServer.getPort(), // + "User " + TEST_USER, // + "IdentityFile " + privateKey1.getAbsolutePath(), // + "PubkeyAcceptedAlgorithms ^ssh-rsa"); + RemoteSession session = getSessionFactory().getSession( + new URIish("ssh://server/doesntmatter"), null, FS.DETECTED, + 10000); + assertNotNull(session); + session.disconnect(); + } + } } |