[
https://issues.apache.org/jira/browse/SSHD-850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16653046#comment-16653046
]
Thomas Wolf commented on SSHD-850:
----------------------------------
I know the two are different, and one (keyboard-interactive auth) is handled
fine by sshd. The other (passphrases for encrypted private keys) isn't.
Your proposed work-around for the missing functionality (implement my own
{{KeyPairProvider}} that does this) implies that this special
{{KeyPairProvider}} cannot use {{SecurityUtils.loadKeyPairIdentity()}}. It even
looks I'd have to implement a whole separate hierarchy of
{{KeyPairResourceParser}}s just to get something that in {{extractKeyPairs}}
loops the required number of times, since outside of that it is not known
whether a failure to read a key was due to a wrong password or some other
problem. It also looks to me that I'd need a stateful {{FilePasswordProvider}}
that remembers if it had been called at all for the key so that I can query it
– if it hasn't even been called by the key parser, the key wasn't encrypted (or
had a problem before we even got to decrypting it) and re-trying would be
futile. (Outside of {{extractKeyPairs}} it isn't even known whether the key is
encrypted at all.)
The fact that I'd have to side-step or re-implement quite a lot of the sshd
default behavior is to me an indication that something is missing here in sshd.
> sshd client; encrypted private key identity file: FilePasswordProvider called
> only once; should be called NumberOfPasswordPrompts times
> ---------------------------------------------------------------------------------------------------------------------------------------
>
> Key: SSHD-850
> URL: https://issues.apache.org/jira/browse/SSHD-850
> Project: MINA SSHD
> Issue Type: Improvement
> Affects Versions: 2.0.0
> Reporter: Thomas Wolf
> Priority: Minor
>
> In openssh, the ssh config entry NumberOfPasswordPrompts controls the number
> of times the ssh client keeps asking for a password if the one entered was
> invalid in two cases:
> # keyboard-interactive authentication, and
> # asking for passwords for encrypted private keys in identity files in
> pubkey authentication (see [openssh sources;
> sshconnect2.c|https://github.com/openssh/openssh-portable/blob/1a4a9cf/sshconnect2.c#L1380]).
> sshd-core only has support for (1) through setting the property
> {{ClientAuthenticationManager.PASSWORD_PROMPTS}} in the session's properties.
> There doesn't seem to be any support for FilePasswordProvider to make it
> respect this value.
> {{AbstractPEMResourceKeyPairParser.extractkeyPairs()}} and also
> {{BouncyCastleKeyPairResourceParser.loadKeyPair()}} call
> {{FilePasswordProvider.getPassword()}} exactly once.
> So how can I write a ssh client using sshd that asks the user
> NumberOfPasswordPrompts times? Either I'm missing something, or there is some
> support for this missing in sshd.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
