From 4c555f0742856bb21efcb2df53c7ceac921ffe80 Mon Sep 17 00:00:00 2001 From: Thomas Wolf Date: Thu, 6 Jan 2022 19:33:44 +0100 Subject: sshd: backport upstream fix for SSHD-1231 SSHD-1231[1] may lead to exceptions when trying to authenticate first with an RSA key that is rejected by the server. The upstream fix is a one-liner but unfortunately didn't make it into Apache MINA sshd 2.8.0. Incorporate the upstream fix in JGitPublicKeyAuthentication, and add a test case for this. [1] https://issues.apache.org/jira/browse/SSHD-1231 Bug: 577545 Change-Id: Ia744cd4aa569bccd937c855f3bb45c0116915bad Signed-off-by: Thomas Wolf --- .../eclipse/jgit/transport/sshd/ApacheSshTest.java | 26 ++++++++++++++++++++++ .../sshd/JGitPublicKeyAuthentication.java | 14 ++++++++++++ 2 files changed, 40 insertions(+) diff --git a/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java b/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java index ccaf98ced0..3d7c7651c1 100644 --- a/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java +++ b/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java @@ -107,6 +107,32 @@ public class ApacheSshTest extends SshTestBase { "IdentityFile " + privateKey1.getAbsolutePath()); } + /** + * Test for SSHD-1231. If authentication is attempted first with an RSA key, + * which is rejected, and then with some other key type (here ed25519), + * authentication fails in bug SSHD-1231. + * + * @throws Exception + * on errors + * @see SSHD-1231 + */ + @Test + public void testWrongKeyFirst() throws Exception { + File userKey = new File(getTemporaryDirectory(), "userkey"); + copyTestResource("id_ed25519", userKey); + File publicKey = new File(getTemporaryDirectory(), "userkey.pub"); + copyTestResource("id_ed25519.pub", publicKey); + server.setTestUserPublicKey(publicKey.toPath()); + cloneWith("ssh://git/doesntmatter", defaultCloneDir, null, // + "Host git", // + "HostName localhost", // + "Port " + testPort, // + "User " + TEST_USER, // + "IdentityFile " + privateKey1.getAbsolutePath(), // RSA + "IdentityFile " + userKey.getAbsolutePath()); + } + @Test public void testHashedKnownHosts() throws Exception { assertTrue("Failed to delete known_hosts", knownHosts.delete()); diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java index c082a9a963..2996a221ce 100644 --- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java +++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java @@ -108,4 +108,18 @@ public class JGitPublicKeyAuthentication extends UserAuthPublicKey { }; } } + + @Override + protected PublicKeyIdentity resolveAttemptedPublicKeyIdentity( + ClientSession session, String service) throws Exception { + PublicKeyIdentity result = super.resolveAttemptedPublicKeyIdentity( + session, service); + // This fixes SSHD-1231. Can be removed once we're using Apache MINA + // sshd > 2.8.0. + // + // See https://issues.apache.org/jira/browse/SSHD-1231 + currentAlgorithms.clear(); + return result; + } + } -- cgit v1.2.3