[
https://issues.apache.org/jira/browse/SSHD-473?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14572380#comment-14572380
]
Jochen Seliger commented on SSHD-473:
-------------------------------------
Hi Guillaume,
I've further tested.
The PasswordAthentikation at the MINA SSHD is buggy.
The authenitikator, implemented somewhere, is approving any user as long as the
user name is passed as password too.
That way any user may get a shell connection, established by the SSHD-Server,
whiile earning the priveliges of the user, who has started the server on the
remote system.
That is unacceptable.
Here my logg with user "bad_password" and password "bad_password":
Please consider that the logg is reporting, that the shell was opened for usre
bad_password@linux-0h68, allthoug the user has earned the accout of jochen (only
jochen is an existing account of the remote system).
Further please have a look at the two authentication runs.
createSSHClient false entered
Jun 04, 2015 9:08:11 AM org.apache.sshd.common.util.SecurityUtils register
INFORMATION: BouncyCastle not registered, using the default JCE provider
after SSHClient creation + start
Jun 04, 2015 9:08:11 AM org.apache.sshd.client.session.ClientSessionImpl <init>
INFORMATION: Client session created
Jun 04, 2015 9:08:11 AM org.apache.sshd.common.session.AbstractSession
writePacket
INFORMATION: Start flagging packets as pending until key exchange is done
Jun 04, 2015 9:08:11 AM org.apache.sshd.client.session.ClientSessionImpl
readIdentification
INFORMATION: Server version string: SSH-2.0-SSHD-CORE-0.14.0
ClientSesion established
Jun 04, 2015 9:08:12 AM
org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier verifyServerKey
WARNUNG: Server at /127.0.0.1:8000 presented unverified DSA key:
e4:76:f3:c2:15:64:7f:e4:5f:b7:86:35:a5:3e:85:35
Jun 04, 2015 9:08:12 AM org.apache.sshd.common.session.AbstractSession
doHandleMessage
INFORMATION: Dequeing pending packets
Jun 04, 2015 9:08:12 AM org.apache.sshd.client.session.ClientUserAuthServiceNew
processUserAuth
INFORMATION: Received SSH_MSG_USERAUTH_FAILURE
Jun 04, 2015 9:08:12 AM org.apache.sshd.client.auth.UserAuthKeyboardInteractive
process
INFORMATION: Received Password authentication en-US
Jun 04, 2015 9:08:12 AM org.apache.sshd.client.session.ClientUserAuthServiceNew
processUserAuth
INFORMATION: Received SSH_MSG_USERAUTH_SUCCESS
ShellChannel established
ShellChannell opened
sh: no job control in this shell
bad_password@linux-0h68:/home/jochen/workspace/USF_SSH_WS> whoami
whoami
jochen
bad_password@linux-0h68:/home/jochen/workspace/USF_SSH_WS>
As I wrote yesterday there are errors at the SERVERs-PasswordAuthentication
procedure.
First there is an authentikator running, allthough I've implemented an own
Authenticator, returning in any cas false (this code is never entered).
The logic ot this unknown authenticator is wrong (he is acception any user, as
long as the user name is passed as password too).
There is opened a shell connection for a user, who has started the SSHD-server,
not the one, who is trying to connect. That could be acceptable, but has to be
anounced. And there should be a handable solution, to change/set the shell owner
(this user can only be an existing user at the remote system).
Generally I hope, you accept my error report and route it to the appropriate
personality at appache, if not you are maintaining the SSHD-server.
The logic for Passwordtauthentication procedure as implemented I consider as
unacceptable.
I'm hoping for your further help.
Jochen
> PasswordAuthentifikation
> ------------------------
>
> Key: SSHD-473
> URL: https://issues.apache.org/jira/browse/SSHD-473
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 0.14.0
> Environment: Windows 7, Java 8, Eclipse JUNO
> Reporter: Jochen Seliger
> Priority: Critical
> Attachments: SSHDPasswordAuthenticator.java, SSH_SERVER.java
>
>
> I run the sshd and the ssh client both on the windos mashine.
> The sshd I start on port 8000 and with password authentificator ans an own
> atthenicator class, which shall shoe a messagebox when envoced.
> The client I start aftercreating it as SshClient.setUpDefaultClient();
> without stting any factury with the statement ClientSession session =
> client.connect("Jochen","192.168.100.13",8000).await().getSession(); (Jochen
> is an existing user on the mashine).
> But till shellChannel I can proceed only when setting after session creation
> session.addPasswordIdentity("Jochen"); (it is tha same user as provided at
> session creation)
> There is no functionality to set the password.
> The method authPassword is depreciated.
> 1. My first question: How to proceed th use PasswordAuthentification?
> As stated I can proceesd til ssh-Shell, but the server is logging at a first
> run an autentification failure and at a second run authentification success:
> Mai 22, 2015 12:14:21 PM org.apache.sshd.client.session.ClientSessionImpl
> readIdentification
> INFORMATION: Server version string: SSH-2.0-SSHD-CORE-0.14.0
> Mai 22, 2015 12:14:22 PM
> org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier verifyServerKey
> WARNUNG: Server at /192.168.100.13:8000 presented unverified DSA key:
> e4:76:f3:c2:15:64:7f:e4:5f:b7:86:35:a5:3e:85:35
> Mai 22, 2015 12:14:22 PM org.apache.sshd.common.session.AbstractSession
> doHandleMessage
> INFORMATION: Dequeing pending packets
> Mai 22, 2015 12:14:22 PM
> org.apache.sshd.client.session.ClientUserAuthServiceNew processUserAuth
> INFORMATION: Received SSH_MSG_USERAUTH_FAILURE
> Mai 22, 2015 12:14:22 PM
> org.apache.sshd.client.auth.UserAuthKeyboardInteractive process
> INFORMATION: Received Password authentication en-US
> Mai 22, 2015 12:14:22 PM
> org.apache.sshd.client.session.ClientUserAuthServiceNew processUserAuth
> INFORMATION: Received SSH_MSG_USERAUTH_SUCCESS
> ShellChannell opened
> Microsoft Windows [Version 6.0.6001]
> Copyright (c) 2006 Microsoft Corporation. Alle Rechte vorbehalten.
> C:\Users\Jochen\workspace\USF_SSH_WS>
> allthoug I did not provide an password.
> 2. Why thes two runs are processed?
> 3. Why the first run fails and the second one succedes?
> 4. How to proceede to get a functioning password and keypair authentication?
> Regards
> Jochen Seliger
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
