[sshd] Implement SSH config KexAlgorithms
Make the used KEX algorithms configurable via the ssh config. Also implement adding algorithms not in the default set: since sshd 2.6.0 deprecated SHA1-based algorithms, it is possible that the default set has not all available algorithms, so adding algorithms makes sense. This enables users who have to use a git server that only supports old SHA1-based key exchange methods to enable those methods in the ssh config: KexAlgorithms +diffie-hellman-group1-sha1 There are two more SHA1 algorithms that are not enabled by default: diffie-hellman-group14-sha1 and diffie-hellman-group-exchange-sha1. KeyAlgorithms accepts a comma-separated list of algorithm names. Since adding algorithms is now supported, adapt the handling of signature algorithms, too. Make sure that definitions for the KEX exchange signature (HostKeyAlgorithms) don't conflict with the definition for signatures for pubkey auth (PubkeyAcceptedAlgorithms). HostKeyAlgorithms updates the signature factories set on the session to include the default factories plus any that might have been added via the SSH config. Move the handling of PubkeyAcceptedAlgorithms from the client to the JGitPubkeyAuthentication, where it can be done only if pubkey auth is attempted at all and where it can store its adapted list of factories locally. Bug: 574636 Change-Id: Ia5d5f174bbc8e5b41e10ec2c25216d861174e7c3 Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
This commit is contained in:
parent
1e391d47ba
commit
27a1fa1872
|
@ -12,6 +12,7 @@ Import-Package: org.apache.sshd.client.config.hosts;version="[2.7.0,2.8.0)",
|
|||
org.apache.sshd.common.auth;version="[2.7.0,2.8.0)",
|
||||
org.apache.sshd.common.config.keys;version="[2.7.0,2.8.0)",
|
||||
org.apache.sshd.common.helpers;version="[2.7.0,2.8.0)",
|
||||
org.apache.sshd.common.kex;version="[2.7.0,2.8.0)",
|
||||
org.apache.sshd.common.keyprovider;version="[2.7.0,2.8.0)",
|
||||
org.apache.sshd.common.session;version="[2.7.0,2.8.0)",
|
||||
org.apache.sshd.common.signature;version="[2.7.0,2.8.0)",
|
||||
|
|
|
@ -34,13 +34,18 @@
|
|||
|
||||
import org.apache.sshd.client.config.hosts.KnownHostEntry;
|
||||
import org.apache.sshd.client.config.hosts.KnownHostHashValue;
|
||||
import org.apache.sshd.common.NamedFactory;
|
||||
import org.apache.sshd.common.config.keys.AuthorizedKeyEntry;
|
||||
import org.apache.sshd.common.config.keys.KeyUtils;
|
||||
import org.apache.sshd.common.config.keys.PublicKeyEntry;
|
||||
import org.apache.sshd.common.config.keys.PublicKeyEntryResolver;
|
||||
import org.apache.sshd.common.kex.BuiltinDHFactories;
|
||||
import org.apache.sshd.common.kex.DHFactory;
|
||||
import org.apache.sshd.common.kex.KeyExchangeFactory;
|
||||
import org.apache.sshd.common.session.Session;
|
||||
import org.apache.sshd.common.util.net.SshdSocketAddress;
|
||||
import org.apache.sshd.server.ServerAuthenticationManager;
|
||||
import org.apache.sshd.server.ServerBuilder;
|
||||
import org.apache.sshd.server.SshServer;
|
||||
import org.apache.sshd.server.forward.StaticDecisionForwardingFilter;
|
||||
import org.eclipse.jgit.api.Git;
|
||||
|
@ -702,4 +707,42 @@ public void testConnectAuthSshRsa() throws Exception {
|
|||
session.disconnect();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests that one can log in at an even poorer server that also only has the
|
||||
* SHA1 KEX methods available. Apparently this is the case for at least some
|
||||
* Microsoft TFS instances. The user has to enable the poor KEX methods in
|
||||
* the ssh config explicitly; we don't enable them by default.
|
||||
*
|
||||
* @throws Exception
|
||||
* on failure
|
||||
*/
|
||||
@Test
|
||||
public void testConnectOnlyRsaSha1() throws Exception {
|
||||
try (SshServer oldServer = createServer(TEST_USER, publicKey1)) {
|
||||
oldServer.setSignatureFactoriesNames("ssh-rsa");
|
||||
List<DHFactory> sha1Factories = BuiltinDHFactories
|
||||
.parseDHFactoriesList(
|
||||
"diffie-hellman-group1-sha1,diffie-hellman-group14-sha1")
|
||||
.getParsedFactories();
|
||||
assertEquals(2, sha1Factories.size());
|
||||
List<KeyExchangeFactory> kexFactories = NamedFactory
|
||||
.setUpTransformedFactories(true, sha1Factories,
|
||||
ServerBuilder.DH2KEX);
|
||||
oldServer.setKeyExchangeFactories(kexFactories);
|
||||
oldServer.start();
|
||||
registerServer(oldServer);
|
||||
installConfig("Host server", //
|
||||
"HostName localhost", //
|
||||
"Port " + oldServer.getPort(), //
|
||||
"User " + TEST_USER, //
|
||||
"IdentityFile " + privateKey1.getAbsolutePath(), //
|
||||
"KexAlgorithms +diffie-hellman-group1-sha1");
|
||||
RemoteSession session = getSessionFactory().getSession(
|
||||
new URIish("ssh://server/doesntmatter"), null, FS.DETECTED,
|
||||
10000);
|
||||
assertNotNull(session);
|
||||
session.disconnect();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -8,6 +8,7 @@ configInvalidProxyJump=Ssh config, host ''{0}'': Cannot parse ProxyJump ''{1}''
|
|||
configNoKnownAlgorithms=Ssh config ''{0}'' ''{1}'' resulted in empty list (none known, or all known removed); using default.
|
||||
configProxyJumpNotSsh=Non-ssh URI in ProxyJump ssh config
|
||||
configProxyJumpWithPath=ProxyJump ssh config: jump host specification must not have a path
|
||||
configUnknownAlgorithm=Ssh config {0}: ignoring unknown algorithm ''{1}'' in {2} {3}
|
||||
ftpCloseFailed=Closing the SFTP channel failed
|
||||
gssapiFailure=GSS-API error for mechanism OID {0}
|
||||
gssapiInitFailure=GSS-API initialization failure for mechanism {0}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (C) 2018, 2019 Thomas Wolf <thomas.wolf@paranor.ch> and others
|
||||
* Copyright (C) 2018, 2021 Thomas Wolf <thomas.wolf@paranor.ch> and others
|
||||
*
|
||||
* This program and the accompanying materials are made available under the
|
||||
* terms of the Eclipse Distribution License v. 1.0 which is available at
|
||||
|
@ -29,17 +29,26 @@
|
|||
import java.util.Objects;
|
||||
import java.util.Set;
|
||||
|
||||
import org.apache.sshd.client.ClientBuilder;
|
||||
import org.apache.sshd.client.ClientFactoryManager;
|
||||
import org.apache.sshd.client.config.hosts.HostConfigEntry;
|
||||
import org.apache.sshd.client.keyverifier.ServerKeyVerifier;
|
||||
import org.apache.sshd.client.session.ClientSessionImpl;
|
||||
import org.apache.sshd.common.AttributeRepository;
|
||||
import org.apache.sshd.common.FactoryManager;
|
||||
import org.apache.sshd.common.NamedResource;
|
||||
import org.apache.sshd.common.PropertyResolver;
|
||||
import org.apache.sshd.common.config.keys.KeyUtils;
|
||||
import org.apache.sshd.common.io.IoSession;
|
||||
import org.apache.sshd.common.io.IoWriteFuture;
|
||||
import org.apache.sshd.common.kex.BuiltinDHFactories;
|
||||
import org.apache.sshd.common.kex.DHFactory;
|
||||
import org.apache.sshd.common.kex.KexProposalOption;
|
||||
import org.apache.sshd.common.kex.KeyExchangeFactory;
|
||||
import org.apache.sshd.common.kex.extension.KexExtensionHandler;
|
||||
import org.apache.sshd.common.kex.extension.KexExtensions;
|
||||
import org.apache.sshd.common.signature.BuiltinSignatures;
|
||||
import org.apache.sshd.common.kex.extension.KexExtensionHandler.AvailabilityPhase;
|
||||
import org.apache.sshd.common.util.Readable;
|
||||
import org.apache.sshd.common.util.buffer.Buffer;
|
||||
import org.eclipse.jgit.errors.InvalidPatternException;
|
||||
|
@ -70,6 +79,8 @@ public class JGitClientSession extends ClientSessionImpl {
|
|||
*/
|
||||
private static final int DEFAULT_MAX_IDENTIFICATION_SIZE = 64 * 1024;
|
||||
|
||||
private static final AttributeKey<Boolean> INITIAL_KEX_DONE = new AttributeKey<>();
|
||||
|
||||
private HostConfigEntry hostConfig;
|
||||
|
||||
private CredentialsProvider credentialsProvider;
|
||||
|
@ -219,6 +230,32 @@ protected Map<KexProposalOption, String> setNegotiationResult(
|
|||
return result;
|
||||
}
|
||||
|
||||
Set<String> getAllAvailableSignatureAlgorithms() {
|
||||
Set<String> allAvailable = new HashSet<>();
|
||||
BuiltinSignatures.VALUES.forEach(s -> allAvailable.add(s.getName()));
|
||||
BuiltinSignatures.getRegisteredExtensions()
|
||||
.forEach(s -> allAvailable.add(s.getName()));
|
||||
return allAvailable;
|
||||
}
|
||||
|
||||
private void setNewFactories(Collection<String> defaultFactories,
|
||||
Collection<String> finalFactories) {
|
||||
// If new factory names were added make sure we actually have factories
|
||||
// for them all.
|
||||
//
|
||||
// But add new ones at the end: we don't want to change the order for
|
||||
// pubkey auth, and any new ones added here were not included in the
|
||||
// default set for some reason, such as being deprecated or weak.
|
||||
//
|
||||
// The order for KEX is determined by the order in the proposal string,
|
||||
// but the order in pubkey auth is determined by the order in the
|
||||
// factory list (possibly overridden via ssh config
|
||||
// PubkeyAcceptedAlgorithms; see JGitPublicKeyAuthentication).
|
||||
Set<String> resultSet = new LinkedHashSet<>(defaultFactories);
|
||||
resultSet.addAll(finalFactories);
|
||||
setSignatureFactoriesNames(resultSet);
|
||||
}
|
||||
|
||||
@Override
|
||||
protected String resolveAvailableSignaturesProposal(
|
||||
FactoryManager manager) {
|
||||
|
@ -229,16 +266,17 @@ protected String resolveAvailableSignaturesProposal(
|
|||
.getProperty(SshConstants.HOST_KEY_ALGORITHMS);
|
||||
if (!StringUtils.isEmptyOrNull(algorithms)) {
|
||||
List<String> result = modifyAlgorithmList(defaultSignatures,
|
||||
algorithms, SshConstants.HOST_KEY_ALGORITHMS);
|
||||
getAllAvailableSignatureAlgorithms(), algorithms,
|
||||
SshConstants.HOST_KEY_ALGORITHMS);
|
||||
if (!result.isEmpty()) {
|
||||
if (log.isDebugEnabled()) {
|
||||
log.debug(SshConstants.HOST_KEY_ALGORITHMS + ' ' + result);
|
||||
}
|
||||
setNewFactories(defaultSignatures, result);
|
||||
return String.join(",", result); //$NON-NLS-1$
|
||||
}
|
||||
log.warn(format(SshdText.get().configNoKnownAlgorithms,
|
||||
SshConstants.HOST_KEY_ALGORITHMS,
|
||||
algorithms));
|
||||
SshConstants.HOST_KEY_ALGORITHMS, algorithms));
|
||||
}
|
||||
// No HostKeyAlgorithms; using default -- change order to put existing
|
||||
// keys first.
|
||||
|
@ -261,6 +299,10 @@ protected String resolveAvailableSignaturesProposal(
|
|||
if (log.isDebugEnabled()) {
|
||||
log.debug(SshConstants.HOST_KEY_ALGORITHMS + ' ' + reordered);
|
||||
}
|
||||
// Make sure we actually have factories for them all.
|
||||
if (reordered.size() > defaultSignatures.size()) {
|
||||
setNewFactories(defaultSignatures, reordered);
|
||||
}
|
||||
return String.join(",", reordered); //$NON-NLS-1$
|
||||
}
|
||||
if (log.isDebugEnabled()) {
|
||||
|
@ -270,15 +312,87 @@ protected String resolveAvailableSignaturesProposal(
|
|||
return String.join(",", defaultSignatures); //$NON-NLS-1$
|
||||
}
|
||||
|
||||
private List<String> determineKexProposal() {
|
||||
List<KeyExchangeFactory> kexFactories = getKeyExchangeFactories();
|
||||
List<String> defaultKexMethods = NamedResource
|
||||
.getNameList(kexFactories);
|
||||
HostConfigEntry config = resolveAttribute(
|
||||
JGitSshClient.HOST_CONFIG_ENTRY);
|
||||
String algorithms = config.getProperty(SshConstants.KEX_ALGORITHMS);
|
||||
if (!StringUtils.isEmptyOrNull(algorithms)) {
|
||||
Set<String> allAvailable = new HashSet<>();
|
||||
BuiltinDHFactories.VALUES
|
||||
.forEach(s -> allAvailable.add(s.getName()));
|
||||
BuiltinDHFactories.getRegisteredExtensions()
|
||||
.forEach(s -> allAvailable.add(s.getName()));
|
||||
List<String> result = modifyAlgorithmList(defaultKexMethods,
|
||||
allAvailable, algorithms, SshConstants.KEX_ALGORITHMS);
|
||||
if (!result.isEmpty()) {
|
||||
// If new ones were added, update the installed factories
|
||||
Set<String> configuredKexMethods = new HashSet<>(
|
||||
defaultKexMethods);
|
||||
List<KeyExchangeFactory> newKexFactories = new ArrayList<>();
|
||||
result.forEach(name -> {
|
||||
if (!configuredKexMethods.contains(name)) {
|
||||
DHFactory factory = BuiltinDHFactories
|
||||
.resolveFactory(name);
|
||||
if (factory == null) {
|
||||
// Should not occur here
|
||||
if (log.isDebugEnabled()) {
|
||||
log.debug(
|
||||
"determineKexProposal({}) unknown KEX algorithm {} ignored", //$NON-NLS-1$
|
||||
this, name);
|
||||
}
|
||||
} else {
|
||||
newKexFactories
|
||||
.add(ClientBuilder.DH2KEX.apply(factory));
|
||||
}
|
||||
}
|
||||
});
|
||||
if (!newKexFactories.isEmpty()) {
|
||||
newKexFactories.addAll(kexFactories);
|
||||
setKeyExchangeFactories(newKexFactories);
|
||||
}
|
||||
return result;
|
||||
}
|
||||
log.warn(format(SshdText.get().configNoKnownAlgorithms,
|
||||
SshConstants.KEX_ALGORITHMS, algorithms));
|
||||
}
|
||||
return defaultKexMethods;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected String resolveSessionKexProposal(String hostKeyTypes)
|
||||
throws IOException {
|
||||
String kexMethods = String.join(",", determineKexProposal()); //$NON-NLS-1$
|
||||
Boolean isRekey = getAttribute(INITIAL_KEX_DONE);
|
||||
if (isRekey == null || !isRekey.booleanValue()) {
|
||||
// First time
|
||||
KexExtensionHandler extHandler = getKexExtensionHandler();
|
||||
if (extHandler != null && extHandler.isKexExtensionsAvailable(this,
|
||||
AvailabilityPhase.PROPOSAL)) {
|
||||
if (kexMethods.isEmpty()) {
|
||||
kexMethods = KexExtensions.CLIENT_KEX_EXTENSION;
|
||||
} else {
|
||||
kexMethods += ',' + KexExtensions.CLIENT_KEX_EXTENSION;
|
||||
}
|
||||
}
|
||||
setAttribute(INITIAL_KEX_DONE, Boolean.TRUE);
|
||||
}
|
||||
if (log.isDebugEnabled()) {
|
||||
log.debug(SshConstants.KEX_ALGORITHMS + ' ' + kexMethods);
|
||||
}
|
||||
return kexMethods;
|
||||
}
|
||||
|
||||
/**
|
||||
* Modifies a given algorithm list according to a list from the ssh config,
|
||||
* including remove ('-') and reordering ('^') operators. Addition ('+') is
|
||||
* not handled since we have no way of adding dynamically implementations,
|
||||
* and the defaultList is supposed to contain all known implementations
|
||||
* already.
|
||||
* including add ('+'), remove ('-') and reordering ('^') operators.
|
||||
*
|
||||
* @param defaultList
|
||||
* to modify
|
||||
* @param allAvailable
|
||||
* all available values
|
||||
* @param fromConfig
|
||||
* telling how to modify the {@code defaultList}, must not be
|
||||
* {@code null} or empty
|
||||
|
@ -288,22 +402,22 @@ protected String resolveAvailableSignaturesProposal(
|
|||
* set
|
||||
*/
|
||||
public List<String> modifyAlgorithmList(List<String> defaultList,
|
||||
String fromConfig, String overrideKey) {
|
||||
Set<String> allAvailable, String fromConfig, String overrideKey) {
|
||||
Set<String> defaults = new LinkedHashSet<>();
|
||||
defaults.addAll(defaultList);
|
||||
switch (fromConfig.charAt(0)) {
|
||||
case '+':
|
||||
// Additions make not much sense -- it's either in
|
||||
// defaultList already, or we have no implementation for
|
||||
// it. No point in proposing it.
|
||||
return defaultList;
|
||||
List<String> newSignatures = filteredList(allAvailable, overrideKey,
|
||||
fromConfig.substring(1));
|
||||
defaults.addAll(newSignatures);
|
||||
return new ArrayList<>(defaults);
|
||||
case '-':
|
||||
// This takes wildcard patterns!
|
||||
removeFromList(defaults, overrideKey, fromConfig.substring(1));
|
||||
return new ArrayList<>(defaults);
|
||||
case '^':
|
||||
// Specified entries go to the front of the default list
|
||||
List<String> allSignatures = filteredList(defaults,
|
||||
List<String> allSignatures = filteredList(allAvailable, overrideKey,
|
||||
fromConfig.substring(1));
|
||||
Set<String> atFront = new HashSet<>(allSignatures);
|
||||
for (String sig : defaults) {
|
||||
|
@ -315,7 +429,7 @@ public List<String> modifyAlgorithmList(List<String> defaultList,
|
|||
default:
|
||||
// Default is overridden -- only accept the ones for which we do
|
||||
// have an implementation.
|
||||
return filteredList(defaults, fromConfig);
|
||||
return filteredList(allAvailable, overrideKey, fromConfig);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -342,11 +456,15 @@ private void removeFromList(Set<String> current, String key,
|
|||
}
|
||||
}
|
||||
|
||||
private List<String> filteredList(Set<String> known, String values) {
|
||||
private List<String> filteredList(Set<String> known, String key,
|
||||
String values) {
|
||||
List<String> newNames = new ArrayList<>();
|
||||
for (String newValue : values.split("\\s*,\\s*")) { //$NON-NLS-1$
|
||||
if (known.contains(newValue)) {
|
||||
newNames.add(newValue);
|
||||
} else {
|
||||
log.warn(format(SshdText.get().configUnknownAlgorithm, this,
|
||||
newValue, key, values));
|
||||
}
|
||||
}
|
||||
return newNames;
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
/*
|
||||
* Copyright (C) 2018, 2021 Thomas Wolf <thomas.wolf@paranor.ch> and others
|
||||
*
|
||||
* This program and the accompanying materials are made available under the
|
||||
* terms of the Eclipse Distribution License v. 1.0 which is available at
|
||||
* https://www.eclipse.org/org/documents/edl-v10.php.
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
package org.eclipse.jgit.internal.transport.sshd;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
import org.apache.sshd.client.auth.pubkey.UserAuthPublicKey;
|
||||
import org.apache.sshd.client.auth.pubkey.UserAuthPublicKeyFactory;
|
||||
import org.apache.sshd.client.session.ClientSession;
|
||||
|
||||
/**
|
||||
* A customized authentication factory for public key user authentication.
|
||||
*/
|
||||
public class JGitPublicKeyAuthFactory extends UserAuthPublicKeyFactory {
|
||||
|
||||
/** The singleton {@link JGitPublicKeyAuthFactory}. */
|
||||
public static final JGitPublicKeyAuthFactory FACTORY = new JGitPublicKeyAuthFactory();
|
||||
|
||||
private JGitPublicKeyAuthFactory() {
|
||||
super();
|
||||
}
|
||||
|
||||
@Override
|
||||
public UserAuthPublicKey createUserAuth(ClientSession session)
|
||||
throws IOException {
|
||||
return new JGitPublicKeyAuthentication(getSignatureFactories());
|
||||
}
|
||||
}
|
|
@ -0,0 +1,64 @@
|
|||
/*
|
||||
* Copyright (C) 2018, 2021 Thomas Wolf <thomas.wolf@paranor.ch> and others
|
||||
*
|
||||
* This program and the accompanying materials are made available under the
|
||||
* terms of the Eclipse Distribution License v. 1.0 which is available at
|
||||
* https://www.eclipse.org/org/documents/edl-v10.php.
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
package org.eclipse.jgit.internal.transport.sshd;
|
||||
|
||||
import static java.text.MessageFormat.format;
|
||||
import static org.eclipse.jgit.transport.SshConstants.PUBKEY_ACCEPTED_ALGORITHMS;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
import org.apache.sshd.client.auth.pubkey.UserAuthPublicKey;
|
||||
import org.apache.sshd.client.config.hosts.HostConfigEntry;
|
||||
import org.apache.sshd.client.session.ClientSession;
|
||||
import org.apache.sshd.common.NamedFactory;
|
||||
import org.apache.sshd.common.signature.Signature;
|
||||
import org.eclipse.jgit.util.StringUtils;
|
||||
|
||||
/**
|
||||
* Custom {@link UserAuthPublicKey} implementation for handling SSH config
|
||||
* PubkeyAcceptedAlgorithms.
|
||||
*/
|
||||
public class JGitPublicKeyAuthentication extends UserAuthPublicKey {
|
||||
|
||||
JGitPublicKeyAuthentication(List<NamedFactory<Signature>> factories) {
|
||||
super(factories);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void init(ClientSession rawSession, String service)
|
||||
throws Exception {
|
||||
if (!(rawSession instanceof JGitClientSession)) {
|
||||
throw new IllegalStateException("Wrong session type: " //$NON-NLS-1$
|
||||
+ rawSession.getClass().getCanonicalName());
|
||||
}
|
||||
JGitClientSession session = ((JGitClientSession) rawSession);
|
||||
HostConfigEntry hostConfig = session.getHostConfigEntry();
|
||||
// Set signature algorithms for public key authentication
|
||||
String pubkeyAlgos = hostConfig.getProperty(PUBKEY_ACCEPTED_ALGORITHMS);
|
||||
if (!StringUtils.isEmptyOrNull(pubkeyAlgos)) {
|
||||
List<String> signatures = session.getSignatureFactoriesNames();
|
||||
signatures = session.modifyAlgorithmList(signatures,
|
||||
session.getAllAvailableSignatureAlgorithms(), pubkeyAlgos,
|
||||
PUBKEY_ACCEPTED_ALGORITHMS);
|
||||
if (!signatures.isEmpty()) {
|
||||
if (log.isDebugEnabled()) {
|
||||
log.debug(PUBKEY_ACCEPTED_ALGORITHMS + ' ' + signatures);
|
||||
}
|
||||
setSignatureFactoriesNames(signatures);
|
||||
} else {
|
||||
log.warn(format(SshdText.get().configNoKnownAlgorithms,
|
||||
PUBKEY_ACCEPTED_ALGORITHMS, pubkeyAlgos));
|
||||
}
|
||||
}
|
||||
// If we don't set signature factories here, the default ones from the
|
||||
// session will be used.
|
||||
super.init(session, service);
|
||||
}
|
||||
}
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (C) 2018, 2020 Thomas Wolf <thomas.wolf@paranor.ch> and others
|
||||
* Copyright (C) 2018, 2021 Thomas Wolf <thomas.wolf@paranor.ch> and others
|
||||
*
|
||||
* This program and the accompanying materials are made available under the
|
||||
* terms of the Eclipse Distribution License v. 1.0 which is available at
|
||||
|
@ -267,24 +267,6 @@ private JGitClientSession createSession(IoSession ioSession,
|
|||
session.setUsername(username);
|
||||
session.setConnectAddress(address);
|
||||
session.setHostConfigEntry(hostConfig);
|
||||
// Set signature algorithms for public key authentication
|
||||
String pubkeyAlgos = hostConfig
|
||||
.getProperty(SshConstants.PUBKEY_ACCEPTED_ALGORITHMS);
|
||||
if (!StringUtils.isEmptyOrNull(pubkeyAlgos)) {
|
||||
List<String> signatures = getSignatureFactoriesNames();
|
||||
signatures = session.modifyAlgorithmList(signatures, pubkeyAlgos,
|
||||
SshConstants.PUBKEY_ACCEPTED_ALGORITHMS);
|
||||
if (!signatures.isEmpty()) {
|
||||
if (log.isDebugEnabled()) {
|
||||
log.debug(SshConstants.PUBKEY_ACCEPTED_ALGORITHMS + ' '
|
||||
+ signatures);
|
||||
}
|
||||
session.setSignatureFactoriesNames(signatures);
|
||||
} else {
|
||||
log.warn(format(SshdText.get().configNoKnownAlgorithms,
|
||||
SshConstants.PUBKEY_ACCEPTED_ALGORITHMS, pubkeyAlgos));
|
||||
}
|
||||
}
|
||||
if (session.getCredentialsProvider() == null) {
|
||||
session.setCredentialsProvider(getCredentialsProvider());
|
||||
}
|
||||
|
|
|
@ -28,6 +28,7 @@ public static SshdText get() {
|
|||
/***/ public String configNoKnownAlgorithms;
|
||||
/***/ public String configProxyJumpNotSsh;
|
||||
/***/ public String configProxyJumpWithPath;
|
||||
/***/ public String configUnknownAlgorithm;
|
||||
/***/ public String ftpCloseFailed;
|
||||
/***/ public String gssapiFailure;
|
||||
/***/ public String gssapiInitFailure;
|
||||
|
|
|
@ -32,7 +32,6 @@
|
|||
import org.apache.sshd.client.SshClient;
|
||||
import org.apache.sshd.client.auth.UserAuthFactory;
|
||||
import org.apache.sshd.client.auth.keyboard.UserAuthKeyboardInteractiveFactory;
|
||||
import org.apache.sshd.client.auth.pubkey.UserAuthPublicKeyFactory;
|
||||
import org.apache.sshd.client.config.hosts.HostConfigEntryResolver;
|
||||
import org.apache.sshd.common.NamedFactory;
|
||||
import org.apache.sshd.common.SshException;
|
||||
|
@ -49,6 +48,7 @@
|
|||
import org.eclipse.jgit.internal.transport.sshd.CachingKeyPairProvider;
|
||||
import org.eclipse.jgit.internal.transport.sshd.GssApiWithMicAuthFactory;
|
||||
import org.eclipse.jgit.internal.transport.sshd.JGitPasswordAuthFactory;
|
||||
import org.eclipse.jgit.internal.transport.sshd.JGitPublicKeyAuthFactory;
|
||||
import org.eclipse.jgit.internal.transport.sshd.JGitServerKeyVerifier;
|
||||
import org.eclipse.jgit.internal.transport.sshd.JGitSshClient;
|
||||
import org.eclipse.jgit.internal.transport.sshd.JGitSshConfig;
|
||||
|
@ -577,7 +577,7 @@ private List<UserAuthFactory> getUserAuthFactories() {
|
|||
// Password auth doesn't have this problem.
|
||||
return Collections.unmodifiableList(
|
||||
Arrays.asList(GssApiWithMicAuthFactory.INSTANCE,
|
||||
UserAuthPublicKeyFactory.INSTANCE,
|
||||
JGitPublicKeyAuthFactory.FACTORY,
|
||||
JGitPasswordAuthFactory.INSTANCE,
|
||||
UserAuthKeyboardInteractiveFactory.INSTANCE));
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue