You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mina.apache.org by "Guillaume Nodet (JIRA)" <ji...@apache.org> on 2015/02/11 17:40:14 UTC

[jira] [Resolved] (SSHD-372) Server doesn't reject connections that don't send client identification, has to time out

     [ https://issues.apache.org/jira/browse/SSHD-372?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Guillaume Nodet resolved SSHD-372.
----------------------------------
       Resolution: Fixed
    Fix Version/s: 0.14.0

https://git-wip-us.apache.org/repos/asf?p=mina-sshd.git;a=commitdiff;h=709aa932748d5f6fe28b1d0bdb9d8f6659245694

> Server doesn't reject connections that don't send client identification, has to time out
> ----------------------------------------------------------------------------------------
>
>                 Key: SSHD-372
>                 URL: https://issues.apache.org/jira/browse/SSHD-372
>             Project: MINA SSHD
>          Issue Type: Improvement
>    Affects Versions: 0.14.0
>            Reporter: Robin Stocker
>            Assignee: Guillaume Nodet
>             Fix For: 0.14.0
>
>
> Given a client that incorrectly tries to connect to Mina SSHD using HTTP (such as a Git client using an incorrect remote URL), Mina SSHD is much less strict than OpenSSH.
> OpenSSH immediately closes the connection:
> {noformat}
> $ curl -v http://127.0.0.1:4722/                             
> * Hostname was NOT found in DNS cache
> *   Trying 127.0.0.1...
> * Connected to 127.0.0.1 (127.0.0.1) port 4722 (#0)
> > GET / HTTP/1.1
> > User-Agent: curl/7.37.1
> > Host: 127.0.0.1:4722
> > Accept: */*
> > 
> SSH-2.0-OpenSSH_6.6.1
> Protocol mismatch.
> * Connection #0 to host 127.0.0.1 left intact
> $
> {noformat}
> Mina SSHD (master) waits for further input, and the connection is only closed when the auth timeout is reached (2 minutes currently):
> {noformat}
> $ curl -v http://127.0.0.1:51328/
> * Hostname was NOT found in DNS cache
> *   Trying 127.0.0.1...
> * Connected to 127.0.0.1 (127.0.0.1) port 51328 (#0)
> > GET / HTTP/1.1
> > User-Agent: curl/7.37.1
> > Host: 127.0.0.1:51328
> > Accept: */*
> > 
> SSH-2.0-SSHD-CORE-0.13.1-SNAPSHOT
> {noformat}
> (In 0.9, there was also a bug that caused the auth timeout to never be triggered, but that seems to have been fixed in 0.10 due to the work on SSHD-282.)
> The code for this is in {{AbstractSession#doReadIdentification}}. I'm not sure if it should be as strict as OpenSSH ([which only looks at the first line|https://github.com/openssh/openssh-portable/blob/146218ac11a1eb0dcade6f793d7acdef163b5ddc/sshd.c#L472]), but maybe it would be worth to make this configurable.
> A workaround is possible by providing a custom {{SessionFactory}} and {{ServerSession}} and overriding {{doReadIdentification}}.
> For background, see this Stash issue: https://jira.atlassian.com/browse/STASH-5480



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)