Here is how the code should work (there are other options but this is the
simplest):
SshClient client = SshClient.setupDefaultClient();
client.set... - override if needed some defaults
try (ClientSession session = client.connect(user, host,
port).verify(...timeout...).getSession()) {
session.addPasswordIdentity(...password...);
or
session.addPublicKeyIdentity(...keypair...);
session.auth().verify(...timeout...);
...session is ready to be used...
}
________________________________
From: matthew.w.pi...@wellsfargo.com <matthew.w.pi...@wellsfargo.com>
Sent: Monday, August 29, 2016 7:48 PM
To: dev@mina.apache.org
Subject: RE: SSHD v1.2.0 client sending SSH_MSG_USERAUTH_REQUEST packet as
service name 'ssh-connection'?
More of my own discoveries...
I can confirm that by simply applying my authentication credentials at the
SshClient-level rather than the session level that the login and session
execute normally. So, why does sendInitialServiceRequest seem to prevent
session-level authentication from working on these devices?
Thanks
-matt
-----Original Message-----
From: matthew.w.pi...@wellsfargo.com [mailto:matthew.w.pi...@wellsfargo.com]
Sent: Monday, August 29, 2016 11:15 AM
To: dev@mina.apache.org
Subject: RE: SSHD v1.2.0 client sending SSH_MSG_USERAUTH_REQUEST packet as
service name 'ssh-connection'?
Ok, adding some context here as I may be getting closer to this problem...
So the log/exception in [1] seems to indicate to me that the client/server
are indeed starting the auth exchange properly. However, it seems as though
this exchange is *starting* prior to calling session.auth() so there is no
AuthFuture present. This seems to initiate from ClientSession's override of
#sendSessionEvent where it calls #sendInitialServiceRequest for
KeyEstablished events.
Could this be because I am specifying my authentication at the session level
rather than the client level? So, it's as if the Kex and initial service
request happen so fast, that my code hasn't called session#auth. Is this
possible and/or normal?
[1]
10:48:14.401 [sshd-SshClient[33a630fa]-nio2-thread-9] DEBUG
o.a.s.c.session.ClientSessionImpl -
sendInitialServiceRequest(ClientSessionImpl[xxxxx@/1.2.3.4:22]) Send
SSH_MSG_SERVICE_REQUEST for ssh-userauth
10:48:14.402 [sshd-SshClient[33a630fa]-nio2-thread-9] DEBUG
o.a.sshd.common.io.nio2.Nio2Session - Writing 68 bytes
10:48:14.402 [sshd-SshClient[33a630fa]-nio2-thread-2] DEBUG
o.a.sshd.common.io.nio2.Nio2Session -
handleCompletedWriteCycle(Nio2Session[local=/0:0:0:0:0:0:0:0:51883,
remote=/1.2.3.4:22]) finished writing len=68
10:48:14.474 [sshd-SshClient[33a630fa]-nio2-thread-1] DEBUG
o.a.sshd.common.io.nio2.Nio2Session -
handleReadCycleCompletion(Nio2Session[local=/0:0:0:0:0:0:0:0:51883,
remote=/1.2.3.4:22]) read 52 bytes
10:48:14.475 [sshd-SshClient[33a630fa]-nio2-thread-1] DEBUG
o.a.s.c.session.ClientSessionImpl -
handleServiceAccept(ClientSessionImpl[xxxxx@/1.2.3.4:22])
SSH_MSG_SERVICE_ACCEPT service=ssh-userauth
10:48:14.475 [sshd-SshClient[33a630fa]-nio2-thread-3] DEBUG
o.a.sshd.common.io.nio2.Nio2Session -
handleReadCycleCompletion(Nio2Session[local=/0:0:0:0:0:0:0:0:51883,
remote=/1.2.3.4:22]) read 196 bytes
10:48:14.476 [sshd-SshClient[33a630fa]-nio2-thread-3] DEBUG
o.a.sshd.common.io.nio2.Nio2Session -
exceptionCaught(Nio2Session[local=/0:0:0:0:0:0:0:0:51883,
remote=/1.2.3.4:22]) caught IllegalArgumentException[No current future] -
calling handler
10:48:14.477 [sshd-SshClient[33a630fa]-nio2-thread-3] DEBUG
o.a.s.c.session.ClientSessionImpl -
signalAuthFailure(ClientSessionImpl[xxxxx@/1.2.3.4:22])
type=IllegalArgumentException, signalled=false, message="No current future"
10:48:14.477 [sshd-SshClient[33a630fa]-nio2-thread-3] WARN
o.a.s.c.session.ClientSessionImpl -
exceptionCaught(ClientSessionImpl[xxxxx@/1.2.3.4:22])[state=Opened]
IllegalArgumentException: No current future
10:48:14.483 [sshd-SshClient[33a630fa]-nio2-thread-3] DEBUG
o.a.s.c.session.ClientSessionImpl -
exceptionCaught(ClientSessionImpl[xxxxx@/1.2.3.4:22])[state=Opened] details
java.lang.IllegalArgumentException: No current future
at
org.apache.sshd.common.util.ValidateUtils.throwIllegalArgumentException(Vali
dateUtils.java:138) ~[sshd-core-1.2.0.jar:1.2.0]
at
org.apache.sshd.common.util.ValidateUtils.checkTrue(ValidateUtils.java:115)
~[sshd-core-1.2.0.jar:1.2.0]
at
org.apache.sshd.common.util.ValidateUtils.checkNotNull(ValidateUtils.java:34
) ~[sshd-core-1.2.0.jar:1.2.0]
at
org.apache.sshd.client.session.ClientUserAuthService.process(ClientUserAuthS
ervice.java:167) ~[sshd-core-1.2.0.jar:1.2.0]
at
org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(Abstr
actSession.java:530) ~[sshd-core-1.2.0.jar:1.2.0]
at
org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(Abstrac
tSession.java:463) ~[sshd-core-1.2.0.jar:1.2.0]
at
org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSessio
n.java:1325) ~[sshd-core-1.2.0.jar:1.2.0]
at
org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(Abstr
actSession.java:424) ~[sshd-core-1.2.0.jar:1.2.0]
at
org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageRecei
ved(AbstractSessionIoHandler.java:67) ~[sshd-core-1.2.0.jar:1.2.0]
at
org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Ses
sion.java:285) ~[sshd-core-1.2.0.jar:1.2.0]
at
org.apache.sshd.common.io.nio2.Nio2Session$2.onCompleted(Nio2Session.java:26
5) [sshd-core-1.2.0.jar:1.2.0]
at
org.apache.sshd.common.io.nio2.Nio2Session$2.onCompleted(Nio2Session.java:26
2) [sshd-core-1.2.0.jar:1.2.0]
at
org.apache.sshd.common.io.nio2.Nio2CompletionHandler$1.run(Nio2CompletionHan
dler.java:37) [sshd-core-1.2.0.jar:1.2.0]
at java.security.AccessController.doPrivileged(Native Method)
[na:1.8.0_92]
at
org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2Completio
nHandler.java:34) [sshd-core-1.2.0.jar:1.2.0]
at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)
[na:1.8.0_92]
at sun.nio.ch.Invoker$2.run(Invoker.java:218) [na:1.8.0_92]
at
sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.j
ava:112) [na:1.8.0_92]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:11
42) [na:1.8.0_92]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:6
17) [na:1.8.0_92]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_92]
10:48:14.484 [sshd-SshClient[33a630fa]-nio2-thread-3] DEBUG
o.a.s.c.s.h.SessionTimeoutListener -
sessionException(ClientSessionImpl[xxxxx@/1.2.3.4:22])
IllegalArgumentException: No current future
10:48:14.484 [sshd-SshClient[33a630fa]-nio2-thread-3] DEBUG
o.a.s.c.s.h.SessionTimeoutListener -
sessionClosed(ClientSessionImpl[xxxxx@/1.2.3.4:22]) un-tracked
10:48:14.484 [sshd-SshClient[33a630fa]-nio2-thread-3] DEBUG
o.a.s.c.session.ClientSessionImpl -
close(ClientSessionImpl[xxxxx@/1.2.3.4:22]) Closing immediately
-----Original Message-----
From: matthew.w.pi...@wellsfargo.com [mailto:matthew.w.pi...@wellsfargo.com]
Sent: Monday, August 29, 2016 8:16 AM
To: dev@mina.apache.org
Subject: SSHD v1.2.0 client sending SSH_MSG_USERAUTH_REQUEST packet as
service name 'ssh-connection'?
I am testing sshd 1.2.0 against a bunch of devices that we are currently
accessing just fine using version 0.8.0. I'm running into problems during
the authentication phase when logging into Cisco ASA devices. I am seeing
logs like [1] which appear to indicate that the SSHD library is sending the
SSH_MSG_USERAUTH_REQEUST packet under the 'ssh-connection' service name
which I would expect to see as 'ssh-userauth'. I'm no SSH expert so I may
not understand this correctly, but the ASA devices simply don't respond to
this packet/request and my session login eventually times-out.
When testing the same device with v0.8.0 I see that the login process seems
to jump straight to 'ssh-userauth' after key exchange as indicated by the
logs at [2]. This works fine with the devices and the session executes
normally.
Any ideas here? Is it OK for SSH_MSG_USERAUTH_REQUEST packets to be sent
with service name 'ssh-connection'?
If this is normal, is there a way to work with devices that don't seem to
respond to these packets?
Thanks in advance for any help you can give on this.
[1]
07:51:08.022 [main] DEBUG o.a.s.c.s.ClientUserAuthService -
auth(ClientSessionImpl[xxxx@1.2.3.4:22])[ssh-connection] send
SSH_MSG_USERAUTH_REQUEST for 'none'
[2]
07:43:54.266 [NioProcessor-2] INFO o.a.s.c.session.ClientSessionImpl -
Received SSH_MSG_NEWKEYS
07:43:54.277 [NioProcessor-2] INFO o.a.s.c.session.ClientSessionImpl - Send
SSH_MSG_SERVICE_REQUEST for ssh-userauth
07:43:54.490 [NioProcessor-2] DEBUG o.a.s.c.session.ClientSessionImpl -
Received packet SSH_MSG_SERVICE_ACCEPT
Matthew Pitts
Developer
Security Solutions Design & Automation
Wells Fargo Bank | Tel 336.608.3332 | Cell 336.202.3913 | Kernersville, NC |
MAC D9693-010
matthew.w.pi...@wellsfargo.com
