You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by co...@apache.org on 2019/06/27 14:42:25 UTC
[camel] branch master updated: CAMEL-13692 - Don't use ssh-rsa as
the default keytype for client keys
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/master by this push:
new 9e55577 CAMEL-13692 - Don't use ssh-rsa as the default keytype for client keys
9e55577 is described below
commit 9e5557706505b5dbde21ae8dc318461c2a54bea4
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Jun 27 15:41:20 2019 +0100
CAMEL-13692 - Don't use ssh-rsa as the default keytype for client keys
---
.../camel-ssh/src/main/docs/ssh-component.adoc | 4 +--
.../camel/component/ssh/SshConfiguration.java | 12 +++----
.../org/apache/camel/component/ssh/SshHelper.java | 37 ++++++++++++++--------
.../component/ssh/SshComponentSecurityTest.java | 17 ++++++++++
components/camel-ssh/src/test/resources/ec.pem | 7 ++++
.../modules/ROOT/pages/ssh-component.adoc | 4 +--
.../ssh/springboot/SshComponentConfiguration.java | 2 +-
7 files changed, 59 insertions(+), 24 deletions(-)
diff --git a/components/camel-ssh/src/main/docs/ssh-component.adoc b/components/camel-ssh/src/main/docs/ssh-component.adoc
index 23aceb5..3215588 100644
--- a/components/camel-ssh/src/main/docs/ssh-component.adoc
+++ b/components/camel-ssh/src/main/docs/ssh-component.adoc
@@ -115,7 +115,7 @@ with the following path and query parameters:
| *useFixedDelay* (scheduler) | Controls if fixed delay or fixed rate is used. See ScheduledExecutorService in JDK for details. | true | boolean
| *certResource* (security) | Sets the resource path of the certificate to use for Authentication. Will use ResourceHelperKeyPairProvider to resolve file based certificate, and depends on keyType setting. | | String
| *keyPairProvider* (security) | Sets the KeyPairProvider reference to use when connecting using Certificates to the remote SSH Server. | | KeyPairProvider
-| *keyType* (security) | Sets the key type to pass to the KeyPairProvider as part of authentication. KeyPairProvider.loadKey(...) will be passed this value. Defaults to ssh-rsa. | ssh-rsa | String
+| *keyType* (security) | Sets the key type to pass to the KeyPairProvider as part of authentication. KeyPairProvider.loadKey(...) will be passed this value. Defaults to ssh-rsa. | | String
| *password* (security) | Sets the password to use in connecting to remote SSH server. Requires keyPairProvider to be set to null. | | String
| *username* (security) | Sets the username to use in logging into the remote SSH server. | | String
|===
@@ -210,7 +210,7 @@ and which options are set.
set, and if so, use it to locate the referenced Public Key certificate
and use that for authentication.
2. If `certResource` is not set, it will look to see if a
-`keyPairProvider` has been set, and if so, it will use that to for
+`keyPairProvider` has been set, and if so, it will use that for
certificate based authentication.
3. If neither `certResource` nor `keyPairProvider` are set, it will use
the `username` and `password` options for authentication. Even though the `username`
diff --git a/components/camel-ssh/src/main/java/org/apache/camel/component/ssh/SshConfiguration.java b/components/camel-ssh/src/main/java/org/apache/camel/component/ssh/SshConfiguration.java
index 896e66a..85c061a 100644
--- a/components/camel-ssh/src/main/java/org/apache/camel/component/ssh/SshConfiguration.java
+++ b/components/camel-ssh/src/main/java/org/apache/camel/component/ssh/SshConfiguration.java
@@ -44,8 +44,8 @@ public class SshConfiguration implements Cloneable {
private String pollCommand;
@UriParam(label = "security")
private KeyPairProvider keyPairProvider;
- @UriParam(label = "security", defaultValue = KeyPairProvider.SSH_RSA)
- private String keyType = KeyPairProvider.SSH_RSA;
+ @UriParam(label = "security")
+ private String keyType;
@UriParam(label = "security")
private String certResource;
@UriParam(defaultValue = "30000")
@@ -60,7 +60,7 @@ public class SshConfiguration implements Cloneable {
private String shellPrompt;
@UriParam(label = "advanced", defaultValue = "100")
private long sleepForShellPrompt;
-
+
public SshConfiguration() {
}
@@ -290,7 +290,7 @@ public class SshConfiguration implements Cloneable {
public void setFailOnUnknownHost(boolean failOnUnknownHost) {
this.failOnUnknownHost = failOnUnknownHost;
}
-
+
public String getChannelType() {
return channelType;
}
@@ -307,7 +307,7 @@ public class SshConfiguration implements Cloneable {
public void setChannelType(String channelType) {
this.channelType = channelType;
}
-
+
public String getShellPrompt() {
return shellPrompt;
}
@@ -316,7 +316,7 @@ public class SshConfiguration implements Cloneable {
* Sets the shellPrompt to be dropped when response is read after command execution
*
* @param shellPrompt
- * String defining ending string of command line which has to be dropped when response is
+ * String defining ending string of command line which has to be dropped when response is
* read after command execution.
*/
public void setShellPrompt(String shellPrompt) {
diff --git a/components/camel-ssh/src/main/java/org/apache/camel/component/ssh/SshHelper.java b/components/camel-ssh/src/main/java/org/apache/camel/component/ssh/SshHelper.java
index 154151f..d5ae2fe 100644
--- a/components/camel-ssh/src/main/java/org/apache/camel/component/ssh/SshHelper.java
+++ b/components/camel-ssh/src/main/java/org/apache/camel/component/ssh/SshHelper.java
@@ -24,6 +24,7 @@ import java.io.PipedOutputStream;
import java.io.UnsupportedEncodingException;
import java.security.KeyPair;
import java.util.Arrays;
+import java.util.Iterator;
import java.util.Map;
import java.util.Set;
@@ -41,12 +42,12 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public final class SshHelper {
-
+
protected static final Logger LOG = LoggerFactory.getLogger(SshHelper.class);
-
+
private SshHelper() {
}
-
+
public static SshResult sendExecCommand(Map<String, Object> headers, String command, SshEndpoint endpoint, SshClient client) throws Exception {
SshConfiguration configuration = endpoint.getConfiguration();
@@ -73,11 +74,11 @@ public final class SshHelper {
ClientChannel channel = null;
ClientSession session = null;
-
+
try {
AuthFuture authResult;
session = connectFuture.getSession();
-
+
KeyPairProvider keyPairProvider;
final String certResource = configuration.getCertResource();
if (certResource != null) {
@@ -90,7 +91,17 @@ public final class SshHelper {
// either provide a keypair or password identity first
if (keyPairProvider != null) {
LOG.debug("Attempting to authenticate username '{}' using a key identity", userName);
- KeyPair pair = keyPairProvider.loadKey(configuration.getKeyType());
+ KeyPair pair = null;
+ // If we have no configured key type then just use the first keypair
+ if (configuration.getKeyType() == null) {
+ Iterator<KeyPair> iterator = keyPairProvider.loadKeys().iterator();
+ if (iterator.hasNext()) {
+ pair = iterator.next();
+ }
+ } else {
+ pair = keyPairProvider.loadKey(configuration.getKeyType());
+ }
+
session.addPublicKeyIdentity(pair);
} else {
String password = configuration.getPassword();
@@ -108,15 +119,15 @@ public final class SshHelper {
authResult = session.auth();
authResult.await(configuration.getTimeout());
-
+
if (!authResult.isDone() || authResult.isFailure()) {
LOG.debug("Failed to authenticate");
throw new RuntimeCamelException("Failed to authenticate username " + configuration.getUsername());
}
-
+
InputStream in = null;
PipedOutputStream reply = new PipedOutputStream();
-
+
// for now only two channel types are supported
// shell option is added for specific purpose for now
// may need further maintainance for further use cases
@@ -131,10 +142,10 @@ public final class SshHelper {
}
channel.setIn(in);
-
+
ByteArrayOutputStream out = new ByteArrayOutputStream();
channel.setOut(out);
-
+
ByteArrayOutputStream err = new ByteArrayOutputStream();
channel.setErr(err);
OpenFuture openFuture = channel.open();
@@ -163,12 +174,12 @@ public final class SshHelper {
if (channel != null) {
channel.close(true);
}
- // need to make sure the session is closed
+ // need to make sure the session is closed
if (session != null) {
session.close(false);
}
}
-
+
}
private static String getPrompt(ClientChannel channel, ByteArrayOutputStream output, SshEndpoint endpoint)
diff --git a/components/camel-ssh/src/test/java/org/apache/camel/component/ssh/SshComponentSecurityTest.java b/components/camel-ssh/src/test/java/org/apache/camel/component/ssh/SshComponentSecurityTest.java
index 9c96dd4..d9ab553 100644
--- a/components/camel-ssh/src/test/java/org/apache/camel/component/ssh/SshComponentSecurityTest.java
+++ b/components/camel-ssh/src/test/java/org/apache/camel/component/ssh/SshComponentSecurityTest.java
@@ -52,6 +52,19 @@ public class SshComponentSecurityTest extends SshComponentTestSupport {
assertMockEndpointsSatisfied();
}
+ @Test
+ public void testECFile() throws Exception {
+ final String msg = "test";
+
+ MockEndpoint mock = getMockEndpoint("mock:ecFile");
+ mock.expectedMinimumMessageCount(1);
+ mock.expectedBodiesReceived(msg);
+
+ template.sendBody("direct:ssh-ecFile", msg);
+
+ assertMockEndpointsSatisfied();
+ }
+
@Override
protected RouteBuilder createRouteBuilder() throws Exception {
return new RouteBuilder() {
@@ -77,6 +90,10 @@ public class SshComponentSecurityTest extends SshComponentTestSupport {
from("direct:ssh-rsaFile")
.to("ssh://smx@localhost:" + port + "?certResource=file:src/test/resources/hostkey.pem")
.to("mock:rsaFile");
+
+ from("direct:ssh-ecFile")
+ .to("ssh://smx@localhost:" + port + "?certResource=file:src/test/resources/ec.pem")
+ .to("mock:ecFile");
}
};
}
diff --git a/components/camel-ssh/src/test/resources/ec.pem b/components/camel-ssh/src/test/resources/ec.pem
new file mode 100644
index 0000000..5cfea18
--- /dev/null
+++ b/components/camel-ssh/src/test/resources/ec.pem
@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIB5Twq2mxiOAieZslZlOkOG1Pi4PEmAWJ78+bRLAV7Q4F5Nd4u0bAd
+zGIEMFARoeVb/2C8ZFjNhL8xgOUPWJqY316gBwYFK4EEACOhgYkDgYYABADMulfT
+EOAzU9gsMEfrOuTJj9J8c4SNaAeeUb6uDHYfKPnYvfMJrBcGlnRePjJjeWpGHOyk
+qB8NYpCFk/TPgYFGpQGpz51EZngsQwpEEQXw/jzBHZsVOdrTADYu09Cy/AMLu3wA
+naQ5rWm41G3eC8mfZ1Q0BQ7Fc0K103mxlayEM605jw==
+-----END EC PRIVATE KEY-----
diff --git a/docs/components/modules/ROOT/pages/ssh-component.adoc b/docs/components/modules/ROOT/pages/ssh-component.adoc
index 23aceb5..3215588 100644
--- a/docs/components/modules/ROOT/pages/ssh-component.adoc
+++ b/docs/components/modules/ROOT/pages/ssh-component.adoc
@@ -115,7 +115,7 @@ with the following path and query parameters:
| *useFixedDelay* (scheduler) | Controls if fixed delay or fixed rate is used. See ScheduledExecutorService in JDK for details. | true | boolean
| *certResource* (security) | Sets the resource path of the certificate to use for Authentication. Will use ResourceHelperKeyPairProvider to resolve file based certificate, and depends on keyType setting. | | String
| *keyPairProvider* (security) | Sets the KeyPairProvider reference to use when connecting using Certificates to the remote SSH Server. | | KeyPairProvider
-| *keyType* (security) | Sets the key type to pass to the KeyPairProvider as part of authentication. KeyPairProvider.loadKey(...) will be passed this value. Defaults to ssh-rsa. | ssh-rsa | String
+| *keyType* (security) | Sets the key type to pass to the KeyPairProvider as part of authentication. KeyPairProvider.loadKey(...) will be passed this value. Defaults to ssh-rsa. | | String
| *password* (security) | Sets the password to use in connecting to remote SSH server. Requires keyPairProvider to be set to null. | | String
| *username* (security) | Sets the username to use in logging into the remote SSH server. | | String
|===
@@ -210,7 +210,7 @@ and which options are set.
set, and if so, use it to locate the referenced Public Key certificate
and use that for authentication.
2. If `certResource` is not set, it will look to see if a
-`keyPairProvider` has been set, and if so, it will use that to for
+`keyPairProvider` has been set, and if so, it will use that for
certificate based authentication.
3. If neither `certResource` nor `keyPairProvider` are set, it will use
the `username` and `password` options for authentication. Even though the `username`
diff --git a/platforms/spring-boot/components-starter/camel-ssh-starter/src/main/java/org/apache/camel/component/ssh/springboot/SshComponentConfiguration.java b/platforms/spring-boot/components-starter/camel-ssh-starter/src/main/java/org/apache/camel/component/ssh/springboot/SshComponentConfiguration.java
index 10cf71c..c0b305b 100644
--- a/platforms/spring-boot/components-starter/camel-ssh-starter/src/main/java/org/apache/camel/component/ssh/springboot/SshComponentConfiguration.java
+++ b/platforms/spring-boot/components-starter/camel-ssh-starter/src/main/java/org/apache/camel/component/ssh/springboot/SshComponentConfiguration.java
@@ -275,7 +275,7 @@ public class SshComponentConfiguration
* authentication. KeyPairProvider.loadKey(...) will be passed this
* value. Defaults to "ssh-rsa".
*/
- private String keyType = "ssh-rsa";
+ private String keyType;
/**
* Sets the timeout in milliseconds to wait in establishing the remote
* SSH server connection. Defaults to 30000 milliseconds.