You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Thomas Wolf (Jira)" <ji...@apache.org> on 2022/08/19 17:26:00 UTC
[jira] [Commented] (SSHD-1291) Protocol violation when using async PublicKey auth
[ https://issues.apache.org/jira/browse/SSHD-1291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17581967#comment-17581967 ]
Thomas Wolf commented on SSHD-1291:
-----------------------------------
That is an interesting find.
* I have no idea what "asynchronous authentication" should be.
* I don't see any place in the Apache MINA sshd code that would throw an {{AsyncAuthException}} except in a test. So what {{PublickeyAuthenticator}} is used?
* The feature was added via SSHD-821, where apparently it was also unclear to another committer what this was about.
* The [commit|https://github.com/apache/mina-sshd/commit/5c1c8a9830ad] that added the feature says it was about "asynchronous keyboard authentication", not public key authentication. So why did it even add this exception to {{{}PublickeyAuthenticator{}}}?
* Your second trace seems to indicate that the server authenticated the user without having gotten a signature??
I do wonder whether this (mis-)feature is needed at all, or whether it could simply be removed completely.
> Protocol violation when using async PublicKey auth
> --------------------------------------------------
>
> Key: SSHD-1291
> URL: https://issues.apache.org/jira/browse/SSHD-1291
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 2.9.0
> Reporter: Evgeny Pasynkov
> Priority: Major
>
> Hi.
> I've noticed that SSHD server violates RFC 4252 section 7 (https://www.rfc-editor.org/rfc/rfc4252#section-7) when using asynchronous public key auth (which means throwing AsyncAuthException() from PublickeyAuthenticator implementation.
> Part of the client log when using sync approach
> {code}
> debug1: Next authentication method: publickey
> debug1: Offering public key:xxxxxxx RSA SHA256:yCES5R3fRyROO6W3GRfte9EelwXcM29IM3zOzsvwuv0
> debug3: send packet: type 50
> debug2: we sent a publickey packet, wait for reply
> debug3: receive packet: type 60
> debug1: Server accepts key: xxxxxxxx RSA SHA256:yCES5R3fRyROO6W3GRfte9EelwXcM29IM3zOzsvwuv0
> debug3: sign_and_send_pubkey: using publickey with RSA SHA256:yCES5R3fRyROO6W3GRfte9EelwXcM29IM3zOzsvwuv0
> debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:yCES5R3fRyROO6W3GRfte9EelwXcM29IM3zOzsvwuv0
> debug3: send packet: type 50
> debug3: receive packet: type 52
> Authenticated to localhost ([::1]:2224) using "publickey".
> {code}
> when using "async" approach:
> {code}
> debug1: Next authentication method: publickey
> debug1: Offering public key: xxxxxxxxxx RSA SHA256:yCES5R3fRyROO6W3GRfte9EelwXcM29IM3zOzsvwuv0
> debug3: send packet: type 50
> debug2: we sent a publickey packet, wait for reply
> debug3: receive packet: type 52
> Authenticated to localhost ([::1]:2224) using "publickey".
> {code}
> Please note that mandatory packet SSH_MSG_USERAUTH_PK_OK is missing.
> Though standard client tolerates this difference (at least OpenSSH_9.0p1), not all of them do this. Jsch failed to establish session
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org