Re: [I] org.apache.sshd.common.SshException: No more authentication methods available [mina-sshd]
cslgo commented on issue #436: URL: https://github.com/apache/mina-sshd/issues/436#issuecomment-1884053344 > @cslgo : yours is not the same problem as the original report. In the original report I don't see any proxy jump, but you are doing a proxy jump. > > Proxy jumps with password auth cannot work that way. The implementation in Apache MINA sshd has problems anyway (see #318), and I don't think it can work with password auth in this way at all. The point is that a proxy jump creates nested SSH sessions, but you get only access to the final, outermost session to connect to the target server. So any passwords you set on that session apply only to the final session connected to the target server. > > If you set the passwords on the SshClient, they are tried for any session, proxy and target. This _may_ work, but gives at least one failed log-in attempt at either the proxy or at the target before succeeding. > > If you set the passwords on the target session: the nested session for the proxy still has no password. Hence the connection fails. > > Proxy jumps work best if one uses publickey authentication configured via the HostConfigEntries. If you absolutely want to use passwords, try setting a `UserInteraction` on the `SshClient`. The `UserInteraction` has access to the `ClientSession` and can thus provide the appropriate password based on user name and session remote address, or it can prompt for the password. The explanation is very clear. I understood the problem through your explanation. Thank you very much! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
Re: New release of Apache MINA SSHD needed
I'll start the release process tomorrow. Guillaume Le mar. 9 janv. 2024 à 20:43, Thomas Wolf a écrit : > Could we have a new Apache MINA SSHD 2.12.0 release, please? > > There've been a few minor improvements, but the main reason > for a new release is that we've implemented the "strict key > exchange" mitigation against the Terrapin attack > (CVE-2023-48795, which is a CVE against the SSH protocol > itself.) > > Downstream users need a new release to get this strict key > exchange protocol extension. > > Cheers, > >Thomas > -- Guillaume Nodet
New release of Apache MINA SSHD needed
Could we have a new Apache MINA SSHD 2.12.0 release, please? There've been a few minor improvements, but the main reason for a new release is that we've implemented the "strict key exchange" mitigation against the Terrapin attack (CVE-2023-48795, which is a CVE against the SSH protocol itself.) Downstream users need a new release to get this strict key exchange protocol extension. Cheers, Thomas - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
Re: [PR] GH-429: Support GIT protocol-v2 [mina-sshd]
tomaswolf closed pull request #430: GH-429: Support GIT protocol-v2 URL: https://github.com/apache/mina-sshd/pull/430 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
Re: [PR] Bump ch.qos.logback:logback-classic from 1.2.11 to 1.2.13 [mina-sshd]
tomaswolf commented on PR #443: URL: https://github.com/apache/mina-sshd/pull/443#issuecomment-1883585526 Done in commit 46cfd7ade2d. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
Re: [PR] Bump ch.qos.logback:logback-classic from 1.2.11 to 1.2.13 [mina-sshd]
dependabot[bot] commented on PR #443: URL: https://github.com/apache/mina-sshd/pull/443#issuecomment-1883585607 OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting `@dependabot ignore this major version` or `@dependabot ignore this minor version`. If you change your mind, just re-open this PR and I'll resolve any conflicts on it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
Re: [PR] Bump ch.qos.logback:logback-classic from 1.2.11 to 1.2.13 [mina-sshd]
tomaswolf closed pull request #443: Bump ch.qos.logback:logback-classic from 1.2.11 to 1.2.13 URL: https://github.com/apache/mina-sshd/pull/443 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
Re: [PR] Bump ch.qos.logback:logback-core from 1.2.11 to 1.2.13 [mina-sshd]
tomaswolf commented on PR #442: URL: https://github.com/apache/mina-sshd/pull/442#issuecomment-1883584872 Done in commit 46cfd7ade2d. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
Re: [PR] Bump ch.qos.logback:logback-core from 1.2.11 to 1.2.13 [mina-sshd]
tomaswolf closed pull request #442: Bump ch.qos.logback:logback-core from 1.2.11 to 1.2.13 URL: https://github.com/apache/mina-sshd/pull/442 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
Re: [PR] Bump ch.qos.logback:logback-core from 1.2.11 to 1.2.13 [mina-sshd]
dependabot[bot] commented on PR #442: URL: https://github.com/apache/mina-sshd/pull/442#issuecomment-1883584934 OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting `@dependabot ignore this major version` or `@dependabot ignore this minor version`. If you change your mind, just re-open this PR and I'll resolve any conflicts on it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
Re: [I] org.apache.sshd.client.global.OpenSshHostKeysHandler should ignore unsupported host keys [mina-sshd]
tomaswolf closed issue #434: org.apache.sshd.client.global.OpenSshHostKeysHandler should ignore unsupported host keys URL: https://github.com/apache/mina-sshd/issues/434 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
Re: [PR] GH-434: skip unknown public keys from external sources [mina-sshd]
tomaswolf merged PR #451: URL: https://github.com/apache/mina-sshd/pull/451 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
Re: [I] org.apache.sshd.common.SshException: No more authentication methods available [mina-sshd]
tomaswolf commented on issue #436: URL: https://github.com/apache/mina-sshd/issues/436#issuecomment-1883449676 @cslgo : yours is not the same problem as the original report. In the original report I don't see any proxy jump, but you are doing a proxy jump. Proxy jumps with password auth cannot work that way. The implementation in Apache MINA sshd has problems anyway (see #318), and I don't think it can work with password auth in this way at all. The point is that a proxy jump creates nested SSH sessions, but you get only access to the final, outermost session to connect to the target server. So any passwords you set on that session apply only to the final session connected to the target server. If you set the passwords on the SshClient, they are tried for any session, proxy and target. This _may_ work, but gives at least one failed log-in attempt at either the proxy or at the target before succeeding. If you set the passwords on the target session: the nested session for the proxy still has no password. Hence the connection fails. Proxy jumps work best if one uses publickey authentication configured via the HostConfigEntries. If you absolutely want to use passwords, try setting a `UserInteraction` on the `SshClient`. The `UserInteraction` has access to the `ClientSession` and can thus provide the appropriate password based on user name and session remote address, or it can prompt for the password. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
Re: [I] Ciphers and KEX override at ClientSession level not taken into account [mina-sshd]
baiglin commented on issue #439: URL: https://github.com/apache/mina-sshd/issues/439#issuecomment-1883411303 Indeed this is what I relied on after your last comment: Implementing `SessionListener` ` @Override public void sessionCreated(Session session) { InetSocketAddress remoteAddress = (InetSocketAddress)session.getIoSession().getRemoteAddress(); if (remoteAddress.getHostName().equals(sshdConfiguration.getHost()) && remoteAddress.getPort() == sshdConfiguration.getPort()) { setupCiphers(session); setupMacs(session); setupKeyExchanges(session); } }` However at this stage of the exchange the user name was null in the exchange, so I cannot use it. Many thanks @tomaswolf for your time. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
Re: [I] Ciphers and KEX override at ClientSession level not taken into account [mina-sshd]
baiglin closed issue #439: Ciphers and KEX override at ClientSession level not taken into account URL: https://github.com/apache/mina-sshd/issues/439 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
Re: [I] Terrapin Mitigation: "strict-kex" [mina-sshd]
ecki commented on issue #445: URL: https://github.com/apache/mina-sshd/issues/445#issuecomment-1883316285 The fix is required on both sides, see the terrapin website for more details on mitigations. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
Re: [I] Terrapin Mitigation: "strict-kex" [mina-sshd]
mimaya commented on issue #445: URL: https://github.com/apache/mina-sshd/issues/445#issuecomment-1883309583 Is this problem/fix on server side ? we are using only sshd clinet , do we need to do something to mitigate the problem ? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
Re: [I] org.apache.sshd.common.SshException: No more authentication methods available [mina-sshd]
cslgo commented on issue #436: URL: https://github.com/apache/mina-sshd/issues/436#issuecomment-1882797626 ` @Test public void testProxyWithHostKeyVerificationAndCustomConfig3() throws Exception { try (SshClient client = setupTestClient()) { client.setServerKeyVerifier(AcceptAllServerKeyVerifier.INSTANCE); client.setHostConfigEntryResolver(HostConfigEntry.toHostConfigEntryResolver(Arrays.asList( new HostConfigEntry("server", "ip1", 22, "root", "proxy"), new HostConfigEntry("proxy", "ip2", 22, "root"; client.start(); //Connect via the proxy //client.addPasswordIdentity("pass@xord123"); //client.addPasswordIdentity("cloxi!#@048987"); ConnectFuture verifySession = client.connect("server").verify(CONNECT_TIMEOUT); if (!verifySession.isConnected()) { logger.error("Session connect failed after {} mill seconds", CONNECT_TIMEOUT); throw new RuntimeException( "Session connect failed after " + CONNECT_TIMEOUT + " mill seconds."); } try (ClientSession session = verifySession.getSession()) { session.addPasswordIdentity("pass@word123"); session.addPasswordIdentity("cloxi!544048987"); session.auth().verify(AUTH_TIMEOUT); assertTrue(session.isOpen()); doTestCommand(session, "ls -la"); } // make sure the proxy session is closed / closing assertTrue(proxySession == null || proxySession.isClosing() || proxySession.isClosed()); } }` console printout: `Finished com.chinamobile.cmdi.framework.util.ssh.ProxyTest:testProxyWithHostKeyVerificationAndCustomConfig3 in 77640 ms org.apache.sshd.common.SshException: No more authentication methods available at org.apache.sshd.common.future.AbstractSshFuture.verifyResult(AbstractSshFuture.java:141) at org.apache.sshd.client.future.DefaultConnectFuture.verify(DefaultConnectFuture.java:55) at org.apache.sshd.client.future.DefaultConnectFuture.verify(DefaultConnectFuture.java:36) at org.apache.sshd.common.future.VerifiableFuture.verify(VerifiableFuture.java:74) at com.chinamobile.cmdi.framework.util.ssh.ProxyTest.testProxyWithHostKeyVerificationAndCustomConfig3(ProxyTest.java:239)` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
Re: [I] org.apache.sshd.common.SshException: No more authentication methods available [mina-sshd]
cslgo commented on issue #436: URL: https://github.com/apache/mina-sshd/issues/436#issuecomment-1882791429 @tomaswolf -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org