You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mina.apache.org by "Guillaume Nodet (JIRA)" <ji...@apache.org> on 2014/03/15 11:29:43 UTC

[jira] [Commented] (SSHD-300) Double public key authentication

    [ https://issues.apache.org/jira/browse/SSHD-300?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13936121#comment-13936121 ] 

Guillaume Nodet commented on SSHD-300:
--------------------------------------

The reason for this behavior is that openssh client sends two requests, one without a key signature to verify that the public key is acceptable and the second one with the signature after having loaded the private key and signed some data for actual verification.
It should be possible to add a caching layer in UserAuthPublicKey so that the result of the PublickeyAuthenticator#authenticate is cached for a given public key, though I'm not sure this is a good idea to do that always from a security point of view (caching is usually a bad idea in security afaik). 

> Double public key authentication
> --------------------------------
>
>                 Key: SSHD-300
>                 URL: https://issues.apache.org/jira/browse/SSHD-300
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 0.10.1
>            Reporter: David Ostrovsky
>            Priority: Minor
>         Attachments: 0001-Add-single-public-key-auth-unit-test.patch
>
>
> PublickeyAuthenticator.authenticate() method is called twice, even though the first call of this method already authenticated the user and returned true.
> This is a preformance issue, as server may need to hit database/caches to retrieve the list of  public key(s) for the user to preform the check against.
> Or the authenticate() implementation needs to be adjusted to preform the check that the user was alreay authenticated.
> Reproducer patch is attaced. The problem only occurs when the test is called from open SSH client. Own SSHD's client works as expected.
> To reproduce, start the attached unit test as Java application, and issue the command:
>   ssh localhost -p 29418 -l joe
> [1] https://gerrit-review.googlesource.com/55193
>   



--
This message was sent by Atlassian JIRA
(v6.2#6252)