[
https://issues.apache.org/jira/browse/SSHD-984?focusedWorklogId=429966&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-429966
]
ASF GitHub Bot logged work on SSHD-984:
---------------------------------------
Author: ASF GitHub Bot
Created on: 03/May/20 17:45
Start Date: 03/May/20 17:45
Worklog Time Spent: 10m
Work Description: tomaswolf commented on pull request #128:
URL: https://github.com/apache/mina-sshd/pull/128#issuecomment-623151079
Re char[] vs String: at least I can clear a char[] once the password isn't
needed anymore. With a String I cannot do so, and sensitive data (the
user-entered passphrase) can survive in memory for unspecified amounts of time,
which some people consider a security risk. If I were to write some ssh-keygen
clone in Java, I might use Console.readPassword() to get the passphrase from
the user and have char[] throughout. But I won't insist; if you prefer String,
we can also drop this.
Re: API using SecureByteArrayOutputStream: again, limit leaking sensitive
data (especially when one writes an unencrypted private key). Forces a user to
use a mechanism to write keys to files as shown in the test: once the file is
written, the byte array is cleared. (And the test doesn't use a buffered stream
but a Channel directly.) With a general OutputStream it might be a tad simpler
to write a key to a file, but one has no control over the various buffers
involved. But again, feel free to change this to plain OutputStream, maybe with
a recommendation in the javadoc so use some secure stream.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 429966)
Time Spent: 1h (was: 50m)
> Utility method to export KeyPair in OpenSSH format
> --------------------------------------------------
>
> Key: SSHD-984
> URL: https://issues.apache.org/jira/browse/SSHD-984
> Project: MINA SSHD
> Issue Type: New Feature
> Affects Versions: 2.4.0
> Reporter: David Ostrovsky
> Priority: Minor
> Attachments: sshd_key_writing.zip
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> There are ongoing efforts in Gerrit Code Review and JGit projects to remove
> dependency on JSch library: [1], [2]. Instead, MINA SSSD should be used on
> both: client and server sides.
> One difficulty we are facing is the fact the MINA SSHD currently doesn't
> provide any means to export generated KeyPair in OpenSSH format.
> Thomas Wolf added recently the ability to read encrypted OpenSSH private keys
> in context of SSHD-708.
> With JSch this code would do the job:
> {code:java}
> public static com.jcraft.jsch.KeyPair genSshKey() throws JSchException {
> JSch jsch = new JSch();
> return KeyPair.genKeyPair(jsch, KeyPair.ECDSA, 256);
> }
> public static String publicKey(com.jcraft.jsch.KeyPair sshKey, @Nullable
> String comment)
> throws UnsupportedEncodingException {
> ByteArrayOutputStream out = new ByteArrayOutputStream();
> sshKey.writePublicKey(out, comment);
> return out.toString(US_ASCII.name()).trim();
> }
> public static byte[] privateKey(com.jcraft.jsch.KeyPair keyPair) {
> ByteArrayOutputStream out = new ByteArrayOutputStream();
> keyPair.writePrivateKey(out);
> return out.toByteArray();
> }
> {code}
> [1] [https://bugs.eclipse.org/bugs/show_bug.cgi?id=540727]
> [2] [https://bugs.chromium.org/p/gerrit/issues/detail?id=12599]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
