You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mina.apache.org by lg...@apache.org on 2016/02/26 09:35:58 UTC
[1/5] mina-sshd git commit: Separated AbstractClientSession#checkKeys
code into debuggable steps
Repository: mina-sshd
Updated Branches:
refs/heads/master c5826ae9c -> 94c608b71
Separated AbstractClientSession#checkKeys code into debuggable steps
Project: http://git-wip-us.apache.org/repos/asf/mina-sshd/repo
Commit: http://git-wip-us.apache.org/repos/asf/mina-sshd/commit/ad2b3c66
Tree: http://git-wip-us.apache.org/repos/asf/mina-sshd/tree/ad2b3c66
Diff: http://git-wip-us.apache.org/repos/asf/mina-sshd/diff/ad2b3c66
Branch: refs/heads/master
Commit: ad2b3c666ed94f71beed82721908622851764b1e
Parents: c5826ae
Author: Lyor Goldstein <ly...@gmail.com>
Authored: Fri Feb 26 10:33:44 2016 +0200
Committer: Lyor Goldstein <ly...@gmail.com>
Committed: Fri Feb 26 10:33:44 2016 +0200
----------------------------------------------------------------------
.../apache/sshd/client/session/AbstractClientSession.java | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mina-sshd/blob/ad2b3c66/sshd-core/src/main/java/org/apache/sshd/client/session/AbstractClientSession.java
----------------------------------------------------------------------
diff --git a/sshd-core/src/main/java/org/apache/sshd/client/session/AbstractClientSession.java b/sshd-core/src/main/java/org/apache/sshd/client/session/AbstractClientSession.java
index 8d43053..382865b 100644
--- a/sshd-core/src/main/java/org/apache/sshd/client/session/AbstractClientSession.java
+++ b/sshd-core/src/main/java/org/apache/sshd/client/session/AbstractClientSession.java
@@ -23,6 +23,7 @@ import java.io.IOException;
import java.net.SocketAddress;
import java.nio.file.FileSystem;
import java.security.KeyPair;
+import java.security.PublicKey;
import java.util.EnumMap;
import java.util.List;
import java.util.Map;
@@ -497,8 +498,14 @@ public abstract class AbstractClientSession extends AbstractSession implements C
protected void checkKeys() throws SshException {
ServerKeyVerifier serverKeyVerifier = ValidateUtils.checkNotNull(getServerKeyVerifier(), "No server key verifier");
SocketAddress remoteAddress = ioSession.getRemoteAddress();
+ PublicKey serverKey = kex.getServerKey();
+ boolean verified = serverKeyVerifier.verifyServerKey(this, remoteAddress, serverKey);
+ if (log.isDebugEnabled()) {
+ log.debug("checkKeys({}) key={}-{}, verified={}",
+ this, KeyUtils.getKeyType(serverKey), KeyUtils.getFingerPrint(serverKey), verified);
+ }
- if (!serverKeyVerifier.verifyServerKey(this, remoteAddress, kex.getServerKey())) {
+ if (!verified) {
throw new SshException(SshConstants.SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE, "Server key did not validate");
}
}
[2/5] mina-sshd git commit: Clarified documentation for SSHD protocol
proxy encapsulation interfaces
Posted by lg...@apache.org.
Clarified documentation for SSHD protocol proxy encapsulation interfaces
Project: http://git-wip-us.apache.org/repos/asf/mina-sshd/repo
Commit: http://git-wip-us.apache.org/repos/asf/mina-sshd/commit/c37e81cb
Tree: http://git-wip-us.apache.org/repos/asf/mina-sshd/tree/c37e81cb
Diff: http://git-wip-us.apache.org/repos/asf/mina-sshd/diff/c37e81cb
Branch: refs/heads/master
Commit: c37e81cb1b8859ba37a97cbeda99f78746d3300e
Parents: ad2b3c6
Author: Lyor Goldstein <ly...@gmail.com>
Authored: Fri Feb 26 10:34:31 2016 +0200
Committer: Lyor Goldstein <ly...@gmail.com>
Committed: Fri Feb 26 10:34:31 2016 +0200
----------------------------------------------------------------------
.../apache/sshd/client/session/ClientProxyConnector.java | 3 ++-
.../org/apache/sshd/server/session/ServerProxyAcceptor.java | 9 +++++----
2 files changed, 7 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mina-sshd/blob/c37e81cb/sshd-core/src/main/java/org/apache/sshd/client/session/ClientProxyConnector.java
----------------------------------------------------------------------
diff --git a/sshd-core/src/main/java/org/apache/sshd/client/session/ClientProxyConnector.java b/sshd-core/src/main/java/org/apache/sshd/client/session/ClientProxyConnector.java
index 3cd25ed..e5719ae 100644
--- a/sshd-core/src/main/java/org/apache/sshd/client/session/ClientProxyConnector.java
+++ b/sshd-core/src/main/java/org/apache/sshd/client/session/ClientProxyConnector.java
@@ -31,7 +31,8 @@ package org.apache.sshd.client.session;
public interface ClientProxyConnector {
/**
* Invoked just before the client identification is sent so that the
- * proxy can send the meta-data to its peer
+ * proxy can send the meta-data to its peer. Upon successful return
+ * the SSH identification line is sent and the protocol proceeds as usual.
*
* @param session The {@link ClientSession} instance
* @throws Exception If failed to send the data - which will also
http://git-wip-us.apache.org/repos/asf/mina-sshd/blob/c37e81cb/sshd-core/src/main/java/org/apache/sshd/server/session/ServerProxyAcceptor.java
----------------------------------------------------------------------
diff --git a/sshd-core/src/main/java/org/apache/sshd/server/session/ServerProxyAcceptor.java b/sshd-core/src/main/java/org/apache/sshd/server/session/ServerProxyAcceptor.java
index af6b444..cf6fac0 100644
--- a/sshd-core/src/main/java/org/apache/sshd/server/session/ServerProxyAcceptor.java
+++ b/sshd-core/src/main/java/org/apache/sshd/server/session/ServerProxyAcceptor.java
@@ -32,10 +32,10 @@ public interface ServerProxyAcceptor {
/**
* Invoked <U>before</U> any attempt is made to retrieve the SSH client
* identification data of the standard SSH protocol. The implementor should
- * extract whatever data it needs for the data buffer. <B>Note:</B> the method
+ * extract whatever data it needs from the data buffer. <B>Note:</B> the method
* may be called <U>several times</U> for the <U>same</U> session even though
- * the original proxy data was successfully extracted, in case the client
- * identification line following it is incomplete and thus requires waiting
+ * the original proxy data was successfully extracted. This happens in case the
+ * client identification line following it is incomplete and thus requires waiting
* for more incoming packets.
*
* @param session The {@link ServerSession} instance
@@ -45,7 +45,8 @@ public interface ServerProxyAcceptor {
* plus any new received data. If not enough information is available, the buffer's
* read position should be restored to its original value when the method was invoked.
* @return {@code true} if successfully extracted the remote client peer meta-data,
- * {@code false} if more data is required.
+ * {@code false} if more data is required. Upon successful return the buffer read
+ * position is assumed to indicate the first character of the SSH identification line
* @throws Exception If failed to correctly extract and parse the meta-data, in which
* case the session will be closed
*/
[4/5] mina-sshd git commit: Provide more logging information in
AbstractSession#doReadIdentification
Posted by lg...@apache.org.
Provide more logging information in AbstractSession#doReadIdentification
Project: http://git-wip-us.apache.org/repos/asf/mina-sshd/repo
Commit: http://git-wip-us.apache.org/repos/asf/mina-sshd/commit/2796c4cd
Tree: http://git-wip-us.apache.org/repos/asf/mina-sshd/tree/2796c4cd
Diff: http://git-wip-us.apache.org/repos/asf/mina-sshd/diff/2796c4cd
Branch: refs/heads/master
Commit: 2796c4cd1a8256408cb219a378afab9ee58a6525
Parents: 0f5d117
Author: Lyor Goldstein <ly...@gmail.com>
Authored: Fri Feb 26 10:36:01 2016 +0200
Committer: Lyor Goldstein <ly...@gmail.com>
Committed: Fri Feb 26 10:36:01 2016 +0200
----------------------------------------------------------------------
.../common/session/helpers/AbstractSession.java | 29 ++++++++++++++++----
1 file changed, 24 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mina-sshd/blob/2796c4cd/sshd-core/src/main/java/org/apache/sshd/common/session/helpers/AbstractSession.java
----------------------------------------------------------------------
diff --git a/sshd-core/src/main/java/org/apache/sshd/common/session/helpers/AbstractSession.java b/sshd-core/src/main/java/org/apache/sshd/common/session/helpers/AbstractSession.java
index 6ad6c4b..384a99f 100644
--- a/sshd-core/src/main/java/org/apache/sshd/common/session/helpers/AbstractSession.java
+++ b/sshd-core/src/main/java/org/apache/sshd/common/session/helpers/AbstractSession.java
@@ -1380,27 +1380,45 @@ public abstract class AbstractSession extends AbstractKexFactoryManager implemen
buffer.rpos(rpos);
return null;
}
+
byte b = buffer.getByte();
+ /*
+ * According to RFC 4253 section 4.2:
+ *
+ * "The null character MUST NOT be sent"
+ */
+ if (b == 0) {
+ throw new IllegalStateException("Incorrect identification (null characters not allowed) - after " + new String(data, 0, pos, StandardCharsets.UTF_8));
+ }
if (b == '\r') {
needLf = true;
continue;
}
+
if (b == '\n') {
break;
}
+
if (needLf) {
- throw new IllegalStateException("Incorrect identification: bad line ending");
+ throw new IllegalStateException("Incorrect identification (bad line ending): " + new String(data, 0, pos, StandardCharsets.UTF_8));
}
+
if (pos >= data.length) {
- throw new IllegalStateException("Incorrect identification: line too long");
+ throw new IllegalStateException("Incorrect identification (line too long): " + new String(data, 0, pos, StandardCharsets.UTF_8));
}
+
data[pos++] = b;
}
String str = new String(data, 0, pos, StandardCharsets.UTF_8);
+ if (log.isDebugEnabled()) {
+ log.debug("doReadIdentification({}) line='{}'", this, str);
+ }
+
if (server || str.startsWith("SSH-")) {
return str;
}
+
if (buffer.rpos() > maxIdentSize) {
throw new IllegalStateException("Incorrect identification: too many header lines - size > " + maxIdentSize);
}
@@ -1435,8 +1453,8 @@ public abstract class AbstractSession extends AbstractKexFactoryManager implemen
proposal.put(KexProposalOption.S2CCOMP, compressions);
proposal.put(KexProposalOption.C2SCOMP, compressions);
- proposal.put(KexProposalOption.S2CLANG, "");
- proposal.put(KexProposalOption.C2SLANG, "");
+ proposal.put(KexProposalOption.S2CLANG, ""); // TODO allow configuration
+ proposal.put(KexProposalOption.C2SLANG, ""); // TODO allow configuration
return proposal;
}
@@ -1445,7 +1463,8 @@ public abstract class AbstractSession extends AbstractKexFactoryManager implemen
* This packet contains random data along with our proposal.
*
* @param proposal our proposal for key exchange negotiation
- * @return the sent packet which must be kept for later use
+ * @return the sent packet data which must be kept for later use
+ * when deriving the session keys
* @throws IOException if an error occurred sending the packet
*/
protected byte[] sendKexInit(Map<KexProposalOption, String> proposal) throws IOException {
[5/5] mina-sshd git commit: Restore original buffer read position in
AbstractServerSession#readIdentification if proxy acceptor returns incomplete
indication
Posted by lg...@apache.org.
Restore original buffer read position in AbstractServerSession#readIdentification if proxy acceptor returns incomplete indication
Project: http://git-wip-us.apache.org/repos/asf/mina-sshd/repo
Commit: http://git-wip-us.apache.org/repos/asf/mina-sshd/commit/94c608b7
Tree: http://git-wip-us.apache.org/repos/asf/mina-sshd/tree/94c608b7
Diff: http://git-wip-us.apache.org/repos/asf/mina-sshd/diff/94c608b7
Branch: refs/heads/master
Commit: 94c608b719d22f13c277f3d0c26429a5e6c6bc26
Parents: 2796c4c
Author: Lyor Goldstein <ly...@gmail.com>
Authored: Fri Feb 26 10:36:44 2016 +0200
Committer: Lyor Goldstein <ly...@gmail.com>
Committed: Fri Feb 26 10:36:44 2016 +0200
----------------------------------------------------------------------
.../java/org/apache/sshd/server/session/AbstractServerSession.java | 1 +
1 file changed, 1 insertion(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mina-sshd/blob/94c608b7/sshd-core/src/main/java/org/apache/sshd/server/session/AbstractServerSession.java
----------------------------------------------------------------------
diff --git a/sshd-core/src/main/java/org/apache/sshd/server/session/AbstractServerSession.java b/sshd-core/src/main/java/org/apache/sshd/server/session/AbstractServerSession.java
index fb66498..2c2bd01 100644
--- a/sshd-core/src/main/java/org/apache/sshd/server/session/AbstractServerSession.java
+++ b/sshd-core/src/main/java/org/apache/sshd/server/session/AbstractServerSession.java
@@ -281,6 +281,7 @@ public abstract class AbstractServerSession extends AbstractSession implements S
try {
boolean completed = acceptor.acceptServerProxyMetadata(this, buffer);
if (!completed) {
+ buffer.rpos(rpos); // restore original buffer position
return false; // more data required
}
} catch (Throwable t) {
[3/5] mina-sshd git commit: Renamed SftpSubsystem methods that
implement hardlink@openssh.com extension to match other similar naming
convention
Posted by lg...@apache.org.
Renamed SftpSubsystem methods that implement hardlink@openssh.com extension to match other similar naming convention
Project: http://git-wip-us.apache.org/repos/asf/mina-sshd/repo
Commit: http://git-wip-us.apache.org/repos/asf/mina-sshd/commit/0f5d1172
Tree: http://git-wip-us.apache.org/repos/asf/mina-sshd/tree/0f5d1172
Diff: http://git-wip-us.apache.org/repos/asf/mina-sshd/diff/0f5d1172
Branch: refs/heads/master
Commit: 0f5d1172fc39d46ae7d0ecc576fddb59f00f11a6
Parents: c37e81c
Author: Lyor Goldstein <ly...@gmail.com>
Authored: Fri Feb 26 10:35:26 2016 +0200
Committer: Lyor Goldstein <ly...@gmail.com>
Committed: Fri Feb 26 10:35:26 2016 +0200
----------------------------------------------------------------------
.../apache/sshd/server/subsystem/sftp/SftpSubsystem.java | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mina-sshd/blob/0f5d1172/sshd-core/src/main/java/org/apache/sshd/server/subsystem/sftp/SftpSubsystem.java
----------------------------------------------------------------------
diff --git a/sshd-core/src/main/java/org/apache/sshd/server/subsystem/sftp/SftpSubsystem.java b/sshd-core/src/main/java/org/apache/sshd/server/subsystem/sftp/SftpSubsystem.java
index 6f4185b..40ff2a2 100644
--- a/sshd-core/src/main/java/org/apache/sshd/server/subsystem/sftp/SftpSubsystem.java
+++ b/sshd-core/src/main/java/org/apache/sshd/server/subsystem/sftp/SftpSubsystem.java
@@ -602,7 +602,7 @@ public class SftpSubsystem
doSpaceAvailable(buffer, id);
break;
case HardLinkExtensionParser.NAME:
- doHardLink(buffer, id);
+ doOpenSSHHardLink(buffer, id);
break;
default:
if (log.isDebugEnabled()) {
@@ -613,12 +613,13 @@ public class SftpSubsystem
}
}
- protected void doHardLink(Buffer buffer, int id) throws IOException {
+ // see https://github.com/openssh/openssh-portable/blob/master/PROTOCOL section 10
+ protected void doOpenSSHHardLink(Buffer buffer, int id) throws IOException {
String srcFile = buffer.getString();
String dstFile = buffer.getString();
try {
- doHardLink(id, srcFile, dstFile);
+ doOpenSSHHardLink(id, srcFile, dstFile);
} catch (IOException | RuntimeException e) {
sendStatus(BufferUtils.clear(buffer), id, e);
return;
@@ -627,9 +628,9 @@ public class SftpSubsystem
sendStatus(BufferUtils.clear(buffer), id, SftpConstants.SSH_FX_OK, "");
}
- protected void doHardLink(int id, String srcFile, String dstFile) throws IOException {
+ protected void doOpenSSHHardLink(int id, String srcFile, String dstFile) throws IOException {
if (log.isDebugEnabled()) {
- log.debug("doHardLink({})[id={}] SSH_FXP_EXTENDED[{}] (src={}, dst={})",
+ log.debug("doOpenSSHHardLink({})[id={}] SSH_FXP_EXTENDED[{}] (src={}, dst={})",
getServerSession(), id, HardLinkExtensionParser.NAME, srcFile, dstFile);
}