You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mina.apache.org by tw...@apache.org on 2021/10/24 18:58:21 UTC

[mina-sshd] branch master updated: Allow using an SSH agent without agent forwarding

This is an automated email from the ASF dual-hosted git repository.

twolf pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mina-sshd.git


The following commit(s) were added to refs/heads/master by this push:
     new 402918e  Allow using an SSH agent without agent forwarding
402918e is described below

commit 402918e03d22f86de77eb3270c8376cc0cb4e06e
Author: Thomas Wolf <tw...@apache.org>
AuthorDate: Sun Oct 24 19:55:12 2021 +0200

    Allow using an SSH agent without agent forwarding
    
    It's quite possible to use an SSH agent without agent forwarding.
    Apache MINA sshd should not require ChannelForwardingFactories being
    implemented by the SshAgentFactory. If it does, fine; if it does not,
    it's also fine and agent forwarding will simply not be available.
    
    Agent forwarding comes with a well-known security risk: root on the
    server could abuse the forwarded agent. Using the more modern
    ProxyJump feature it's possible to connect through jump hosts without
    agent forwarding (and without needing to put keys onto the jump host).
    
    So give users the option of providing an SshAgentFactory that only
    implements createClient(), but that returns null or an empty list from
    getChannelForwardingFactories().
---
 .../org/apache/sshd/agent/SshAgentFactory.java     |  5 ++--
 .../java/org/apache/sshd/client/SshClient.java     | 30 ++++++++++------------
 2 files changed, 17 insertions(+), 18 deletions(-)

diff --git a/sshd-core/src/main/java/org/apache/sshd/agent/SshAgentFactory.java b/sshd-core/src/main/java/org/apache/sshd/agent/SshAgentFactory.java
index a528d58..0eac17e 100644
--- a/sshd-core/src/main/java/org/apache/sshd/agent/SshAgentFactory.java
+++ b/sshd-core/src/main/java/org/apache/sshd/agent/SshAgentFactory.java
@@ -33,10 +33,11 @@ public interface SshAgentFactory {
 
     /**
      * The channels are requested by the ssh server when forwarding a client request. The channel will receive agent
-     * requests and need to forward them to the agent, either local or through another proxy.
+     * requests and needs to forward them to the agent, either local or through another proxy.
      *
      * @param  manager The {@link FactoryManager} through which the request is made
-     * @return         The {@link ChannelFactory}-ies used to create channels on the client side
+     * @return         The {@link ChannelFactory}-ies used to create channels for agent forwarding on the client side.
+     *                 If {@code null} or empty, agent forwarding is not available.
      */
     List<ChannelFactory> getChannelForwardingFactories(FactoryManager manager);
 
diff --git a/sshd-core/src/main/java/org/apache/sshd/client/SshClient.java b/sshd-core/src/main/java/org/apache/sshd/client/SshClient.java
index 015ded1..3329658 100644
--- a/sshd-core/src/main/java/org/apache/sshd/client/SshClient.java
+++ b/sshd-core/src/main/java/org/apache/sshd/client/SshClient.java
@@ -403,25 +403,23 @@ public class SshClient extends AbstractFactoryManager implements ClientFactoryMa
             setKeyIdentityProvider(idsWatcher);
         }
 
-        // Register the additional agent forwarding channel if needed
+        // Register the additional agent forwarding channel(s) if needed
         SshAgentFactory agentFactory = getAgentFactory();
         if (agentFactory != null) {
-            List<ChannelFactory> forwarders = ValidateUtils.checkNotNullAndNotEmpty(
-                    agentFactory.getChannelForwardingFactories(this),
-                    "No agent channel forwarding factories for %s",
-                    agentFactory);
-            List<? extends ChannelFactory> factories = getChannelFactories();
-            if (GenericUtils.isEmpty(factories)) {
-                factories = forwarders;
-            } else {
-                // create a copy in case un-modifiable original
-                List<ChannelFactory> factories2 = new ArrayList<>(factories.size() + forwarders.size());
-                factories2.addAll(factories);
-                factories2.addAll(forwarders);
-                factories = factories2;
+            List<ChannelFactory> forwarders = agentFactory.getChannelForwardingFactories(this);
+            if (!GenericUtils.isEmpty(forwarders)) {
+                List<? extends ChannelFactory> factories = getChannelFactories();
+                if (GenericUtils.isEmpty(factories)) {
+                    factories = forwarders;
+                } else {
+                    // create a copy in case un-modifiable original
+                    List<ChannelFactory> factories2 = new ArrayList<>(factories.size() + forwarders.size());
+                    factories2.addAll(factories);
+                    factories2.addAll(forwarders);
+                    factories = factories2;
+                }
+                setChannelFactories(factories);
             }
-
-            setChannelFactories(factories);
         }
 
         if (GenericUtils.isEmpty(getServiceFactories())) {