You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Lucian Burja (JIRA)" <ji...@apache.org> on 2019/07/25 14:19:00 UTC
[jira] [Updated] (WAGON-564) ssh connection failure since
'preferredAuthentications' is ignored if 'password' is missing
[ https://issues.apache.org/jira/browse/WAGON-564?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lucian Burja updated WAGON-564:
-------------------------------
Description:
I am trying to upload a file via SSH with private key authentication, using the {{wagon-maven-plugin}} plugin. The Linux server that is also integrated with Kerberos (which I don't use).
Although I provide a valid {{privateKey}}, and I set {{<preferredAuthentications>publickey</preferredAuthentications>,}} the Kerberos authentication is always triggered.
While investigating, I have found the following root cause:
In settings.xml, for a {{<server>}} you can decide to use SSH key based authentication instead of username/password:
{code:java}
<server>
<id>myserver</id>
<username>bamboo</username>
<privateKey>...path to the file...</privateKey>
<configuration>
<preferredAuthentications>publickey</preferredAuthentications>
</configuration>
</server>
{code}
According to the documentation, this authentication option only works if you omit the {{password}} element, otherwise {{privateKey}} is ignored.
However, if {{password}} is omitted, then {{preferredAuthentications}} is ignored, as can be seen in {{AbstractJschWagon.java :: openConnectionInternal (line 254)}}
{code:java}
if ( authenticationInfo.getPassword() != null )
{
config.setProperty( "PreferredAuthentications", preferredAuthentications );
}
{code}
Thus, in practice, if you use {{privateKey}} based authentication, you cannot control the {{PreferredAuthentications}} parameter, and the default value is used: {{gssapi-with-mic,publickey,password,keyboard-interactive}}. This triggers Kerberos based authentication as the first option.
A simple patch to solve this issue is to add to the lines above an else branch, like this:
{code:java}
if ( authenticationInfo.getPassword() != null )
{
config.setProperty( "PreferredAuthentications", preferredAuthentications );
}
else if ( !"gssapi-with-mic,publickey,password,keyboard-interactive".equals( preferredAuthentications ) )
{
// if different then the default, always set
config.setProperty( "PreferredAuthentications", preferredAuthentications );
}
{code}
or to remove the the surrounding if-statement all-together
was:
I am trying to upload a file via SSH, using the {{wagon-maven-plugin}} plugin, to a Linux server that is integrated with Kerberos. Although I provide a valid {{privateKey}}, and I set {{<preferredAuthentications>publickey</preferredAuthentications>,}} the Kerberos authentication is always triggered.
While investigating, I have found the following root cause:
In settings.xml, for a {{<server>}} you can decide to use SSH certificate based authentication instead of username/password:
{code:java}
<server>
<id>myserver</id>
<username>bamboo</username>
<privateKey>...path to the file...</privateKey>
<configuration>
<preferredAuthentications>publickey</preferredAuthentications>
</configuration>
</server>
{code}
According to the documentation, this authentication option only works if you omit the {{password}} element, otherwise {{privateKey}} is ignored.
However, if {{password}} is omitted, then {{preferredAuthentications}} is ignored, as can be seen in {{AbstractJschWagon.java :: openConnectionInternal (line 254)}}
{code:java}
if ( authenticationInfo.getPassword() != null )
{
config.setProperty( "PreferredAuthentications", preferredAuthentications );
}
{code}
Thus, in practice, if you use {{privateKey}} based authentication, you cannot control the {{PreferredAuthentications}} parameter, and the default value is used: {{gssapi-with-mic,publickey,password,keyboard-interactive}}. This triggers Kerberos based authentication as the first option.
A simple patch to solve this issue is to add to the lines above an else branch, like this:
{code:java}
if ( authenticationInfo.getPassword() != null )
{
config.setProperty( "PreferredAuthentications", preferredAuthentications );
}
else if ( !"gssapi-with-mic,publickey,password,keyboard-interactive".equals( preferredAuthentications ) )
{
// if different then the default, always set
config.setProperty( "PreferredAuthentications", preferredAuthentications );
}
{code}
or to remove the the surrounding if-statement all-together
> ssh connection failure since 'preferredAuthentications' is ignored if 'password' is missing
> -------------------------------------------------------------------------------------------
>
> Key: WAGON-564
> URL: https://issues.apache.org/jira/browse/WAGON-564
> Project: Maven Wagon
> Issue Type: Bug
> Components: wagon-ssh
> Affects Versions: 3.3.3
> Reporter: Lucian Burja
> Priority: Major
>
> I am trying to upload a file via SSH with private key authentication, using the {{wagon-maven-plugin}} plugin. The Linux server that is also integrated with Kerberos (which I don't use).
> Although I provide a valid {{privateKey}}, and I set {{<preferredAuthentications>publickey</preferredAuthentications>,}} the Kerberos authentication is always triggered.
> While investigating, I have found the following root cause:
> In settings.xml, for a {{<server>}} you can decide to use SSH key based authentication instead of username/password:
> {code:java}
> <server>
> <id>myserver</id>
> <username>bamboo</username>
> <privateKey>...path to the file...</privateKey>
> <configuration>
> <preferredAuthentications>publickey</preferredAuthentications>
> </configuration>
> </server>
> {code}
> According to the documentation, this authentication option only works if you omit the {{password}} element, otherwise {{privateKey}} is ignored.
> However, if {{password}} is omitted, then {{preferredAuthentications}} is ignored, as can be seen in {{AbstractJschWagon.java :: openConnectionInternal (line 254)}}
> {code:java}
> if ( authenticationInfo.getPassword() != null )
> {
> config.setProperty( "PreferredAuthentications", preferredAuthentications );
> }
> {code}
>
> Thus, in practice, if you use {{privateKey}} based authentication, you cannot control the {{PreferredAuthentications}} parameter, and the default value is used: {{gssapi-with-mic,publickey,password,keyboard-interactive}}. This triggers Kerberos based authentication as the first option.
> A simple patch to solve this issue is to add to the lines above an else branch, like this:
> {code:java}
> if ( authenticationInfo.getPassword() != null )
> {
> config.setProperty( "PreferredAuthentications", preferredAuthentications );
> }
> else if ( !"gssapi-with-mic,publickey,password,keyboard-interactive".equals( preferredAuthentications ) )
> {
> // if different then the default, always set
> config.setProperty( "PreferredAuthentications", preferredAuthentications );
> }
> {code}
> or to remove the the surrounding if-statement all-together
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)