[GitHub] [mina-sshd] wh0 opened a new pull request #107: Record which AuthorizedKeyEntry is used to authenticate
wh0 opened a new pull request #107: Record which AuthorizedKeyEntry is used to authenticate URL: https://github.com/apache/mina-sshd/pull/107 This adds a new class, `AuthorizedKeyEntriesPublickeyAuthenticator`, based on the existing `KeySetPublickeyAuthenticator` and `resolvePublicKeyEntries`. It provides enhanced functionality over these existing routines by remembering the `AuthorizedKeyEntry`s, where the previous functionality discards everything but the public key. This class records the matching entry into the session, as an attribute, which will enable custom session functionality to make decisions based the `AuthorizedKeyEntry`'s options. This changes `PublickeyAuthenticator.fromAuthorizedEntries` to create an `AuthorizedKeyEntriesPublickeyAuthenticator` instead of a `KeySetPublickeyAuthenticator`. This will affect `AuthorizedKeysAuthenticator`, which uses `PublickeyAuthenticator.fromAuthorizedEntries`. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Commented] (SSHD-945) DSA 2048 public key authentication fails
[
https://issues.apache.org/jira/browse/SSHD-945?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16945387#comment-16945387
]
Lyor Goldstein commented on SSHD-945:
-
I figured this might be the problem but just wanted to make sure. Seems that
the solution would be to implement the same "wrong" signature using SHA1 on
2048 bit keys even though it is not recommended by the security community.
> DSA 2048 public key authentication fails
>
>
> Key: SSHD-945
> URL: https://issues.apache.org/jira/browse/SSHD-945
> Project: MINA SSHD
> Issue Type: Bug
>Affects Versions: 2.1.0
>Reporter: Logan
>Priority: Major
> Attachments: DSAKeyTests.java, maverick_id_dsa
>
>
> While RSA 1024, 2048 and DSA 1024 keys succeed, DSA 2048 fails with error
> trace listed below. I am trying to figure out if the issue is related to DSA
> keys generated by JDK or apache SSHD. Attached is the test case.
>
> Tests with JSch API also fail with DSA 2048 keys.
>
> Error trace:
> {code:java}
> org.apache.sshd.common.SshException: No more authentication methods
> availableorg.apache.sshd.common.SshException: No more authentication methods
> available at
> org.apache.sshd.client.session.ClientUserAuthService.tryNext(ClientUserAuthService.java:318)
> at
> org.apache.sshd.client.session.ClientUserAuthService.processUserAuth(ClientUserAuthService.java:254)
> at
> org.apache.sshd.client.session.ClientUserAuthService.process(ClientUserAuthService.java:201)
> at
> org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:626)
> at
> org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(AbstractSession.java:559)
> at
> org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSession.java:1542)
> at
> org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:520)
> at
> org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:63)
> at
> org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:339)
> at
> org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:318)
> at
> org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:315)
> at
> org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Nio2CompletionHandler.java:38)
> at java.security.AccessController.doPrivileged(Native Method) at
> org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:37)
> at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126) at
> sun.nio.ch.Invoker$2.run(Invoker.java:218) at
> sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748){code}
> [^DSAKeyTests.java]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Commented] (SSHD-945) DSA 2048 public key authentication fails
[
https://issues.apache.org/jira/browse/SSHD-945?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16945367#comment-16945367
]
Thomas Wolf commented on SSHD-945:
--
The problem is not the key per se. OpenSSH client and server even work with a
DSA2048 key, but they still use a 160bit SHA1 signature hash, which is an
insecure setup. The signature hash should be 224 or 256 bits for such keys. If
a client uses a different signature hash, it'll violate RFC 4253 and it's
unlikely that this would work with an OpenSSH server.
> DSA 2048 public key authentication fails
>
>
> Key: SSHD-945
> URL: https://issues.apache.org/jira/browse/SSHD-945
> Project: MINA SSHD
> Issue Type: Bug
>Affects Versions: 2.1.0
>Reporter: Logan
>Priority: Major
> Attachments: DSAKeyTests.java, maverick_id_dsa
>
>
> While RSA 1024, 2048 and DSA 1024 keys succeed, DSA 2048 fails with error
> trace listed below. I am trying to figure out if the issue is related to DSA
> keys generated by JDK or apache SSHD. Attached is the test case.
>
> Tests with JSch API also fail with DSA 2048 keys.
>
> Error trace:
> {code:java}
> org.apache.sshd.common.SshException: No more authentication methods
> availableorg.apache.sshd.common.SshException: No more authentication methods
> available at
> org.apache.sshd.client.session.ClientUserAuthService.tryNext(ClientUserAuthService.java:318)
> at
> org.apache.sshd.client.session.ClientUserAuthService.processUserAuth(ClientUserAuthService.java:254)
> at
> org.apache.sshd.client.session.ClientUserAuthService.process(ClientUserAuthService.java:201)
> at
> org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:626)
> at
> org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(AbstractSession.java:559)
> at
> org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSession.java:1542)
> at
> org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:520)
> at
> org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:63)
> at
> org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:339)
> at
> org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:318)
> at
> org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:315)
> at
> org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Nio2CompletionHandler.java:38)
> at java.security.AccessController.doPrivileged(Native Method) at
> org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:37)
> at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126) at
> sun.nio.ch.Invoker$2.run(Invoker.java:218) at
> sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748){code}
> [^DSAKeyTests.java]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Comment Edited] (SSHD-941) mina ssh client times out connecting with IOS 15.2
[
https://issues.apache.org/jira/browse/SSHD-941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16945308#comment-16945308
]
Lyor Goldstein edited comment on SSHD-941 at 10/6/19 11:32 AM:
---
{{SecurityUtils#setMaxDHGroupExchangeKeySize}} is part of the release since a
very early stage. As far as the immediate identification sending feature - it
depends when we accumulate enough changes in version 2.3.0 to warrant a new
release. My guess is not before 2020...
As far as needing both changes - I still believe that calling
{{SecurityUtils#setMaxDHGroupExchangeKeySize}} +once+ as part of the _main_
initialization (and *before* starting the client) should do the trick. Have you
tried that ?
was (Author: lgoldstein):
{{SecurityUtils.setMaxDHGroupExchangeKeySize}} is part of the release since a
very early stage. As far as the immediate identification sending feature - it
depends when we accumulate enough changes in version 2.3.0 to warrant a new
release. My guess is not before 2020...
> mina ssh client times out connecting with IOS 15.2
> --
>
> Key: SSHD-941
> URL: https://issues.apache.org/jira/browse/SSHD-941
> Project: MINA SSHD
> Issue Type: Bug
>Affects Versions: 2.0.0
>Reporter: Yuefeng
>Assignee: Lyor Goldstein
>Priority: Major
>
> Other device is Cisco IOS 15.2 -
> IOS-15#show version
> Cisco IOS Software, Linux Software (I86BI_LINUXL2-ADVENTERPRISEK9-M), Version
> 15.2(CML_NIGHTLY_20180510)FLO_DSGS7, EARLY DEPLOYMENT DEVELOPMENT BUILD,
> synced to V152_6_0_81_E
>
> apache.sshd always times out connecting to this device -
>
> {code:java}
> 2019-09-12 20:42:30.559Z [sshd-SshClient[4ae0d26a]-nio2-thread-15] DEBUG
> o.a.s.c.session.ClientSessionImpl:68 - Client session created:
> Nio2Session[local=/10.10.20.1:41950, remote=/10.10.20.25:22]
> 2019-09-12 20:42:30.559Z [sshd-SshClient[4ae0d26a]-nio2-thread-15] DEBUG
> o.a.s.c.s.ClientUserAuthService:101 -
> ClientUserAuthService(ClientSessionImpl[null@/10.10.20.25:22]) client
> methods: [publickey, keyboard-interactive, password]
> 2019-09-12 20:42:30.559Z [sshd-SshClient[4ae0d26a]-nio2-thread-15] DEBUG
> o.a.s.c.session.ClientSessionImpl:1569 -
> sendIdentification(ClientSessionImpl[null@/10.10.20.25:22]):
> SSH-2.0-SSHD-CORE-2.0.0
> 2019-09-12 20:42:30.560Z [sshd-SshClient[4ae0d26a]-nio2-thread-15] DEBUG
> o.a.s.c.session.ClientSessionImpl:1716 -
> sendKexInit(ClientSessionImpl[null@/10.10.20.25:22]) Send SSH_MSG_KEXINIT
> 2019-09-12 20:42:30.560Z [collector-55326-2] DEBUG
> o.a.s.c.s.ClientUserAuthService:150 -
> auth(ClientSessionImpl[admin@/10.10.20.25:22])[ssh-connection] send
> SSH_MSG_USERAUTH_REQUEST for 'none'
> 2019-09-12 20:42:30.564Z [collector-55326-2] DEBUG
> o.a.s.c.session.ClientSessionImpl:1110 -
> writePacket(ClientSessionImpl[admin@/10.10.20.25:22])[SSH_MSG_USERAUTH_REQUEST]
> Start flagging packets as pending until key exchange is done
> 2019-09-12 20:42:30.612Z [sshd-SshClient[4ae0d26a]-nio2-thread-9] DEBUG
> o.a.s.c.session.ClientSessionImpl:1653 -
> doReadIdentification(ClientSessionImpl[admin@/10.10.20.25:22])
> line='SSH-2.0-Cisco-1.25'
> 2019-09-12 20:42:30.612Z [sshd-SshClient[4ae0d26a]-nio2-thread-9] DEBUG
> o.a.s.c.session.ClientSessionImpl:375 -
> readIdentification(ClientSessionImpl[admin@/10.10.20.25:22]) Server version
> string: SSH-2.0-Cisco-1.25
> 2019-09-12 20:42:50.565Z [collector-55326-2] WARN
> c.forwardnetworks.client.web.a.b.e:181 - SSH auth failed:
> DefaultAuthFuture[ssh-connection]: Failed to get operation result within
> specified timeout: 2
> org.apache.sshd.common.SshException: DefaultAuthFuture[ssh-connection]:
> Failed to get operation result within specified timeout: 2
> {code}
>
> ssh on linux has no problem connecting -
> {code:java}
> root@eve-ng:/opt/fwd/logs# ssh - admin@10.10.20.25
> OpenSSH_7.2p2 Ubuntu-4ubuntu2.8, OpenSSL 1.0.2g 1 Mar 2016
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 19: Applying options for *
> debug2: resolving "10.10.20.25" port 22
> debug2: ssh_connect_direct: needpriv 0
> debug1: Connecting to 10.10.20.25 [10.10.20.25] port 22.
> debug1: Connection established.
> debug1: permanently_set_uid: 0/0
> debug1: key_load_public: No such file or directory
> debug1: identity file /root/.ssh/id_rsa type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /root/.ssh/id_rsa-cert type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /root/.ssh/id_dsa type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /root/.ssh/id_dsa-cert type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /root/.ssh/id_ecdsa type -1
> debug1: key_load_public: No such
[jira] [Commented] (SSHD-941) mina ssh client times out connecting with IOS 15.2
[
https://issues.apache.org/jira/browse/SSHD-941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16945308#comment-16945308
]
Lyor Goldstein commented on SSHD-941:
-
{{SecurityUtils.setMaxDHGroupExchangeKeySize}} is part of the release since a
very early stage. As far as the immediate identification sending feature - it
depends when we accumulate enough changes in version 2.3.0 to warrant a new
release. My guess is not before 2020...
> mina ssh client times out connecting with IOS 15.2
> --
>
> Key: SSHD-941
> URL: https://issues.apache.org/jira/browse/SSHD-941
> Project: MINA SSHD
> Issue Type: Bug
>Affects Versions: 2.0.0
>Reporter: Yuefeng
>Assignee: Lyor Goldstein
>Priority: Major
>
> Other device is Cisco IOS 15.2 -
> IOS-15#show version
> Cisco IOS Software, Linux Software (I86BI_LINUXL2-ADVENTERPRISEK9-M), Version
> 15.2(CML_NIGHTLY_20180510)FLO_DSGS7, EARLY DEPLOYMENT DEVELOPMENT BUILD,
> synced to V152_6_0_81_E
>
> apache.sshd always times out connecting to this device -
>
> {code:java}
> 2019-09-12 20:42:30.559Z [sshd-SshClient[4ae0d26a]-nio2-thread-15] DEBUG
> o.a.s.c.session.ClientSessionImpl:68 - Client session created:
> Nio2Session[local=/10.10.20.1:41950, remote=/10.10.20.25:22]
> 2019-09-12 20:42:30.559Z [sshd-SshClient[4ae0d26a]-nio2-thread-15] DEBUG
> o.a.s.c.s.ClientUserAuthService:101 -
> ClientUserAuthService(ClientSessionImpl[null@/10.10.20.25:22]) client
> methods: [publickey, keyboard-interactive, password]
> 2019-09-12 20:42:30.559Z [sshd-SshClient[4ae0d26a]-nio2-thread-15] DEBUG
> o.a.s.c.session.ClientSessionImpl:1569 -
> sendIdentification(ClientSessionImpl[null@/10.10.20.25:22]):
> SSH-2.0-SSHD-CORE-2.0.0
> 2019-09-12 20:42:30.560Z [sshd-SshClient[4ae0d26a]-nio2-thread-15] DEBUG
> o.a.s.c.session.ClientSessionImpl:1716 -
> sendKexInit(ClientSessionImpl[null@/10.10.20.25:22]) Send SSH_MSG_KEXINIT
> 2019-09-12 20:42:30.560Z [collector-55326-2] DEBUG
> o.a.s.c.s.ClientUserAuthService:150 -
> auth(ClientSessionImpl[admin@/10.10.20.25:22])[ssh-connection] send
> SSH_MSG_USERAUTH_REQUEST for 'none'
> 2019-09-12 20:42:30.564Z [collector-55326-2] DEBUG
> o.a.s.c.session.ClientSessionImpl:1110 -
> writePacket(ClientSessionImpl[admin@/10.10.20.25:22])[SSH_MSG_USERAUTH_REQUEST]
> Start flagging packets as pending until key exchange is done
> 2019-09-12 20:42:30.612Z [sshd-SshClient[4ae0d26a]-nio2-thread-9] DEBUG
> o.a.s.c.session.ClientSessionImpl:1653 -
> doReadIdentification(ClientSessionImpl[admin@/10.10.20.25:22])
> line='SSH-2.0-Cisco-1.25'
> 2019-09-12 20:42:30.612Z [sshd-SshClient[4ae0d26a]-nio2-thread-9] DEBUG
> o.a.s.c.session.ClientSessionImpl:375 -
> readIdentification(ClientSessionImpl[admin@/10.10.20.25:22]) Server version
> string: SSH-2.0-Cisco-1.25
> 2019-09-12 20:42:50.565Z [collector-55326-2] WARN
> c.forwardnetworks.client.web.a.b.e:181 - SSH auth failed:
> DefaultAuthFuture[ssh-connection]: Failed to get operation result within
> specified timeout: 2
> org.apache.sshd.common.SshException: DefaultAuthFuture[ssh-connection]:
> Failed to get operation result within specified timeout: 2
> {code}
>
> ssh on linux has no problem connecting -
> {code:java}
> root@eve-ng:/opt/fwd/logs# ssh - admin@10.10.20.25
> OpenSSH_7.2p2 Ubuntu-4ubuntu2.8, OpenSSL 1.0.2g 1 Mar 2016
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 19: Applying options for *
> debug2: resolving "10.10.20.25" port 22
> debug2: ssh_connect_direct: needpriv 0
> debug1: Connecting to 10.10.20.25 [10.10.20.25] port 22.
> debug1: Connection established.
> debug1: permanently_set_uid: 0/0
> debug1: key_load_public: No such file or directory
> debug1: identity file /root/.ssh/id_rsa type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /root/.ssh/id_rsa-cert type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /root/.ssh/id_dsa type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /root/.ssh/id_dsa-cert type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /root/.ssh/id_ecdsa type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /root/.ssh/id_ecdsa-cert type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /root/.ssh/id_ed25519 type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /root/.ssh/id_ed25519-cert type -1
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
> debug1: Remote protocol version 2.0, remote software version Cisco-1.25
> debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x6000
> debug2: fd 3 setting O_NONBLOCK
