[
https://issues.apache.org/jira/browse/SSHD-1229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17867371#comment-17867371
]
Thomas Wolf commented on SSHD-1229:
-----------------------------------
Actually, there is a bug in the handling of "these methods that can continue".
See [GH-533|https://github.com/apache/mina-sshd/issues/533]. Basically: if the
server is configured with {{AuthenticationMethods publickey,publickey}}, the
client will re-try the key that succeeded the first auth again for the second
one. And if the server is configured with {{publickey,password}}, the client
will continue with public key authentication all the same, which is a problem
if there are more keys, or if the successful was an RSA key and there are still
weaker signature algorithms to try.
I'll fix these things as part of the Github issue, and will close this one as a
duplicate.
> Infinite clientMethods iteration in ClientUserAuthService
> ---------------------------------------------------------
>
> Key: SSHD-1229
> URL: https://issues.apache.org/jira/browse/SSHD-1229
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 2.7.0
> Reporter: Sergey Panov
> Priority: Major
>
> Hello,
>
> I've come across that the
> org.apache.sshd.client.session.ClientUserAuthService#clientMethods list could
> be iterated over and over again until a client terminates connection. This
> happens when a server requires two-factor authentication. Despite RFC 4252
> [Page 5] ([https://www.ietf.org/rfc/rfc4252.txt)] recommends the server
> returning only authentication methods that have not been successfully
> completed, some implementations ignore this. If the authentication is
> partially successful, but the server returns the same list of authentication
> methods, the 0th client authentication method will be used repeatedly.
> {code:java}
> protected void processUserAuth(Buffer buffer) throws Exception {
> ...
> if (cmd == SshConstants.SSH_MSG_USERAUTH_FAILURE) {
> String mths = buffer.getString();
> boolean partial = buffer.getBoolean();
> if (log.isDebugEnabled()) {
> log.debug("processUserAuth({}) Received
> SSH_MSG_USERAUTH_FAILURE - partial={}, methods={}",
> session, partial, mths);
> }
> if (partial || (serverMethods == null)) {
> serverMethods = Arrays.asList(GenericUtils.split(mths, ','));
> // If a server is always returning the same list of methods, the "next"
> client method in clientMethods will be on index 0
> currentMethod = 0;
> if (userAuth != null) {
> try {
> try {
> userAuth.signalAuthMethodFailure(
> session, service, partial,
> Collections.unmodifiableList(serverMethods), buffer);
> } finally {
> userAuth.destroy();
> }
> } finally {
> userAuth = null;
> }
> }
> } tryNext(cmd);
> return;
> }
> ...
> }{code}
>
> {code:java}
> protected void tryNext(int cmd) throws Exception {
> ClientSession session = getClientSession();
> // Loop until we find something to try
> for (boolean debugEnabled = log.isDebugEnabled();; debugEnabled =
> log.isDebugEnabled()) {
> ...
> String method = null;
> for (; currentMethod < clientMethods.size(); currentMethod++) {
> method = clientMethods.get(currentMethod); // Always selects the
> 0th client method when the previous authentication method was "partially
> successful"
> if (serverMethods.contains(method)) {
> break;
> }
> }
> ...
> }
> } {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org
