[jira] [Commented] (SSHD-1329) SSH Public key authentication works with 2.9.2 but fails with 2.10.0

[Tobias Gierke (Jira)]

    [ 
https://issues.apache.org/jira/browse/SSHD-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17741544#comment-17741544
 ] 

Tobias Gierke commented on SSHD-1329:
-------------------------------------

This question leads to 
org.apache.sshd.client.session.AbstractClientSession#getKeyIdentityProvider

2.10.0

getKeyIdentityProvider() is being called with "keyIdentityProvider" being the 
"EMPTY" provider

!image-2023-07-10-12-39-26-768.png!

and since resolveEffectiveProvider is just a checking for NULL but not the 
"EMPTY" provider, it returns the "EMPTY" provider.

!image-2023-07-10-12-40-44-093.png!

2.9.2

When getKeyIdentityProvider() is being called, the "keyIdentityProvider" field 
is set to NULL (not the "EMPTY" provider as in 2.10.0) so 
resolveEffectiveProvider() returns the "inherited" argument which happens to be 
the org.apache.sshd.common.keyprovider.FileKeyPairProvider that's gone missing 
in 2.10.0

!image-2023-07-10-12-43-11-445.png!

> SSH Public key authentication works with 2.9.2 but fails with 2.10.0
> --------------------------------------------------------------------
>
>                 Key: SSHD-1329
>                 URL: https://issues.apache.org/jira/browse/SSHD-1329
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 2.10.0
>            Reporter: Tobias Gierke
>            Priority: Major
>         Attachments: failure_2.10.0.log, image-2023-06-26-17-10-43-547.png, 
> image-2023-07-10-11-16-03-470.png, image-2023-07-10-11-31-54-206.png, 
> image-2023-07-10-11-48-25-736.png, image-2023-07-10-11-54-05-391.png, 
> image-2023-07-10-11-56-35-508.png, image-2023-07-10-12-04-00-532.png, 
> image-2023-07-10-12-08-39-123.png, image-2023-07-10-12-12-02-825.png, 
> image-2023-07-10-12-24-22-392.png, image-2023-07-10-12-25-51-220.png, 
> image-2023-07-10-12-28-40-339.png, image-2023-07-10-12-38-23-160.png, 
> image-2023-07-10-12-39-26-768.png, image-2023-07-10-12-40-44-093.png, 
> image-2023-07-10-12-43-11-445.png, sshd-bug-test.tgz, success_2.9.2.log
>
>
> After upgrading to Apache SSHD 2.10.0 we noticed that SSH public key 
> authentication stopped working.
> On 2.9.2 the handshake looks like this:
> {code:java}
> 2023-06-19T13:12:18,405 [sshd-SshClient[1255b1d1]-nio2-thread-4|] DEBUG 
> org.apache.sshd.client.session.ClientUserAuthService [] - 
> processUserAuth(ClientSessionImpl[r...@vmtobilocal.fritz.box/192.168.188.250:22]
> ) Received SSH_MSG_USERAUTH_FAILURE - partial=false, 
> methods=publickey,gssapi-keyex,gssapi-with-mic,password
> 2023-06-19T13:12:18,405 [sshd-SshClient[1255b1d1]-nio2-thread-4|] DEBUG 
> org.apache.sshd.client.session.ClientUserAuthService [] - 
> tryNext(ClientSessionImpl[r...@vmtobilocal.fritz.box/192.168.188.250:22]) 
> starti
> ng authentication mechanisms: client=[publickey, keyboard-interactive, 
> password], server=[publickey, gssapi-keyex, gssapi-with-mic, password]
> 2023-06-19T13:12:18,405 [sshd-SshClient[1255b1d1]-nio2-thread-4|] DEBUG 
> org.apache.sshd.client.session.ClientUserAuthService [] - 
> tryNext(ClientSessionImpl[r...@vmtobilocal.fritz.box/192.168.188.250:22]) 
> attempting method=publickey
> 2023-06-19T13:12:18,416 [sshd-SshClient[1255b1d1]-nio2-thread-4|] TRACE 
> org.apache.sshd.common.config.keys.loader.pem.RSAPEMResourceKeyPairParser [] 
> - -----BEGIN RSA PRIVATE KEY----- [chunk #1](16/609) 
> 30:82:02:5d:02:01:00:02:81:81:00:c1:a3:3a:25:23    0..].........:%#
> ..... {code}
> while on 2.10.0  the key is not found/loaded:
> {code:java}
> 2023-06-19T13:13:41,529 [sshd-SshClient[495083a0]-nio2-thread-6|] DEBUG 
> org.apache.sshd.client.session.ClientSessionImpl [] - 
> doHandleMessage(ClientSessionImpl[r...@vmtobilocal.fritz.box/192.168.188.250:22])
>  process #5 SSH_MSG_USERAUTH_FAILURE
> 2023-06-19T13:13:41,529 [sshd-SshClient[495083a0]-nio2-thread-6|] DEBUG 
> org.apache.sshd.client.session.ClientUserAuthService [] - 
> processUserAuth(ClientSessionImpl[r...@vmtobilocal.fritz.box/192.168.188.250:22])
>  Received SSH_MSG_USERAUTH_FAILURE - partial=false, 
> methods=publickey,gssapi-keyex,gssapi-with-mic,password
> 2023-06-19T13:13:41,529 [sshd-SshClient[495083a0]-nio2-thread-6|] DEBUG 
> org.apache.sshd.client.session.ClientUserAuthService [] - 
> tryNext(ClientSessionImpl[r...@vmtobilocal.fritz.box/192.168.188.250:22]) 
> starting authentication mechanisms: client=[publickey, keyboard-interactive, 
> password], server=[publickey, gssapi-keyex, gssapi-with-mic, password]
> 2023-06-19T13:13:41,530 [sshd-SshClient[495083a0]-nio2-thread-6|] DEBUG 
> org.apache.sshd.client.session.ClientUserAuthService [] - 
> tryNext(ClientSessionImpl[r...@vmtobilocal.fritz.box/192.168.188.250:22]) 
> attempting method=publickey
> 2023-06-19T13:13:41,532 [sshd-SshClient[495083a0]-nio2-thread-6|] DEBUG 
> org.apache.sshd.client.auth.pubkey.UserAuthPublicKey [] - 
> resolveAttemptedPublicKeyIdentity(ClientSessionImpl[r...@vmtobilocal.fritz.box/192.168.188.250:22])[ssh-connection]
>  no more keys to send
> 2023-06-19T13:13:41,532 [sshd-SshClient[495083a0]-nio2-thread-6|] DEBUG 
> org.apache.sshd.client.session.ClientUserAuthService [] - 
> tryNext(ClientSessionImpl[r...@vmtobilocal.fritz.box/192.168.188.250:22]) no 
> initial request sent by method=publickey
> 2023-06-19T13:13:41,532 [sshd-SshClient[495083a0]-nio2-thread-6|] TRACE 
> org.apache.sshd.client.auth.pubkey.UserAuthPublicKey [] - 
> releaseKeys(ClientSessionImpl[r...@vmtobilocal.fritz.box/192.168.188.250:22]) 
> closing 
> UserAuthPublicKeyIterator[ClientSessionImpl[r...@vmtobilocal.fritz.box/192.168.188.250:22]]
> 2023-06-19T13:13:41,532 [sshd-SshClient[495083a0]-nio2-thread-6|] DEBUG 
> org.apache.sshd.client.auth.pubkey.UserAuthPublicKey [] - 
> destroy(ClientSessionImpl[r...@vmtobilocal.fritz.box/192.168.188.250:22])[ssh-connection]
> 2023-06-19T13:13:41,533 [sshd-SshClient[495083a0]-nio2-thread-6|] DEBUG 
> org.apache.sshd.client.session.ClientUserAuthService [] - 
> tryNext(ClientSessionImpl[r...@vmtobilocal.fritz.box/192.168.188.250:22]) 
> attempting method=password
> 2023-06-19T13:13:41,534 [sshd-SshClient[495083a0]-nio2-thread-6|] DEBUG 
> org.apache.sshd.client.auth.password.UserAuthPassword [] - 
> resolveAttemptedPassword(ClientSessionImpl[r...@vmtobilocal.fritz.box/192.168.188.250:22])[ssh-connection]
>  no more passwords to send
> 2023-06-19T13:13:41,534 [sshd-SshClient[495083a0]-nio2-thread-6|] DEBUG 
> org.apache.sshd.client.session.ClientUserAuthService [] - 
> tryNext(ClientSessionImpl[r...@vmtobilocal.fritz.box/192.168.188.250:22]) no 
> initial request sent by method=password {code}
> I've attached a Maven project that contains an almost-self-contained unit 
> test that showcases the behaviour. For the test to work you'll need
>  - to have some SSH server up & running
>  - put the test's SSH public key (from src/test/resources/test_ssh_key.pub) 
> into an authorized_keys file on the server
>  - Adjust the test source code to use the right server name and user name (I 
> used root)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org