You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mina.apache.org by lg...@apache.org on 2020/08/01 08:10:42 UTC
[mina-sshd] branch master updated (f5b2617 -> 6361993)
This is an automated email from the ASF dual-hosted git repository.
lgoldstein pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/mina-sshd.git.
from f5b2617 [SSHD-1026] Improve build reproductibility (#155)
new 44e3903 [SSHD-1004] Deprecate SHA-1 based key exchanges from default setup
new 54ebb1a [SSHD-1004] Deprecated SHA-1 based signatures from default setup
new 04081d7 [SSHD-1004] Deprecate MD5-based and truncated HMAC algorithms from default setup.
new 14f72e6 [SSHD-1004] Allow ssh-rsa signatures
new adf96e7 [SSHD-1004] Generate an ECDSA host key by default in SshServerMain
new 6361993 Added server subsystem CLI option value parsing to allow specifying internal SFTP subsystem
The 6 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
CHANGES.md | 10 ++-
README.md | 21 +++++-
.../sshd/cli/server/SshServerCliSupport.java | 10 ++-
.../src/main}/resources/.gitignore | 0
.../src/test/resources/log4j.properties | 2 +-
.../sshd/client/config/hosts/HostConfigEntry.java | 3 +-
.../AbstractGeneratorHostKeyProvider.java | 22 +++++--
.../AbstractGeneratorHostKeyProviderTest.java | 1 -
.../sshd/util/test/CommonTestSupportUtils.java | 6 +-
sshd-core/pom.xml | 6 ++
.../java/org/apache/sshd/client/ClientBuilder.java | 35 ----------
.../java/org/apache/sshd/common/BaseBuilder.java | 34 +++++++---
.../java/org/apache/sshd/server/ServerBuilder.java | 27 --------
.../org/apache/sshd/DefaultSetupTestSupport.java | 74 ++++++++++++++++++++--
.../java/org/apache/sshd/KeyReExchangeTest.java | 2 +-
.../src/test/java/org/apache/sshd/LoadTest.java | 12 +++-
.../java/org/apache/sshd/client/ClientTest.java | 19 ++++--
.../java/org/apache/sshd/client/kex/KexTest.java | 4 +-
.../org/apache/sshd/common/SshBuilderTest.java | 39 ------------
.../sshd/common/auth/AuthenticationTest.java | 24 +++++--
.../sshd/common/auth/SinglePublicKeyAuthTest.java | 48 ++++++++------
.../org/apache/sshd/common/cipher/CipherTest.java | 2 +-
.../sshd/common/compression/CompressionTest.java | 2 +-
.../common/config/SshConfigFileReaderTest.java | 3 +-
.../common/forward/ApacheServerJSchClientTest.java | 3 +-
.../common/forward/PortForwardingLoadTest.java | 6 +-
.../sshd/common/forward/PortForwardingTest.java | 2 +-
.../sshd/common/mac/MacCompatibilityTest.java | 19 +++++-
.../common/signature/OpenSSHCertificateTest.java | 7 +-
.../common/signature/SignatureFactoriesTest.java | 4 +-
.../sshd/server/auth/AsyncAuthInteractiveTest.java | 7 ++
.../org/apache/sshd/server/auth/AsyncAuthTest.java | 7 ++
.../apache/sshd/server/auth/AsyncAuthTestBase.java | 5 +-
.../org/apache/sshd/spring/SpringConfigTest.java | 3 +-
.../org/apache/sshd/util/test/BaseTestSupport.java | 8 +++
.../sshd/util/test/CoreTestSupportUtils.java | 37 +++++++++++
.../auth/super-secret-passphrase-RSA-AES-128-key | 30 ---------
.../super-secret-passphrase-RSA-AES-128-key.pub | 1 -
.../common/auth/super-secret-passphrase-ec256-key | 10 +++
.../auth/super-secret-passphrase-ec256-key.pub | 1 +
.../java/org/apache/sshd/scp/client/ScpTest.java | 19 +++++-
.../sftp/client/AbstractSftpClientTestSupport.java | 2 +-
.../ApacheSshdSftpSessionFactoryTest.java | 4 +-
43 files changed, 364 insertions(+), 217 deletions(-)
copy {sshd-putty/src/test => sshd-cli/src/main}/resources/.gitignore (100%)
copy {sshd-scp => sshd-cli}/src/test/resources/log4j.properties (96%)
delete mode 100644 sshd-core/src/test/resources/org/apache/sshd/common/auth/super-secret-passphrase-RSA-AES-128-key
delete mode 100644 sshd-core/src/test/resources/org/apache/sshd/common/auth/super-secret-passphrase-RSA-AES-128-key.pub
create mode 100644 sshd-core/src/test/resources/org/apache/sshd/common/auth/super-secret-passphrase-ec256-key
create mode 100644 sshd-core/src/test/resources/org/apache/sshd/common/auth/super-secret-passphrase-ec256-key.pub
[mina-sshd] 02/06: [SSHD-1004] Deprecated SHA-1 based signatures
from default setup
Posted by lg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
lgoldstein pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mina-sshd.git
commit 54ebb1ad1bf8ad77697293cdd83ef8bfa093ac56
Author: Lyor Goldstein <lg...@apache.org>
AuthorDate: Fri Jul 31 22:26:23 2020 +0300
[SSHD-1004] Deprecated SHA-1 based signatures from default setup
---
README.md | 15 ++++++-
.../AbstractGeneratorHostKeyProvider.java | 20 ++++++---
.../sshd/util/test/CommonTestSupportUtils.java | 6 ++-
sshd-core/pom.xml | 6 +++
.../java/org/apache/sshd/client/ClientBuilder.java | 35 ----------------
.../java/org/apache/sshd/common/BaseBuilder.java | 23 +++++++++++
.../java/org/apache/sshd/server/ServerBuilder.java | 27 ------------
.../org/apache/sshd/DefaultSetupTestSupport.java | 17 ++++++++
.../src/test/java/org/apache/sshd/LoadTest.java | 12 +++++-
.../java/org/apache/sshd/client/ClientTest.java | 19 ++++++---
.../org/apache/sshd/common/SshBuilderTest.java | 11 -----
.../sshd/common/auth/AuthenticationTest.java | 24 +++++++----
.../sshd/common/auth/SinglePublicKeyAuthTest.java | 48 ++++++++++++++--------
.../common/config/SshConfigFileReaderTest.java | 3 +-
.../common/forward/PortForwardingLoadTest.java | 4 ++
.../sshd/common/mac/MacCompatibilityTest.java | 19 ++++++++-
.../common/signature/OpenSSHCertificateTest.java | 7 +++-
.../common/signature/SignatureFactoriesTest.java | 4 +-
.../sshd/util/test/CoreTestSupportUtils.java | 10 +++++
.../auth/super-secret-passphrase-RSA-AES-128-key | 30 --------------
.../super-secret-passphrase-RSA-AES-128-key.pub | 1 -
.../common/auth/super-secret-passphrase-ec256-key | 10 +++++
.../auth/super-secret-passphrase-ec256-key.pub | 1 +
.../java/org/apache/sshd/scp/client/ScpTest.java | 19 ++++++++-
24 files changed, 218 insertions(+), 153 deletions(-)
diff --git a/README.md b/README.md
index 2369fb7..69eaa25 100644
--- a/README.md
+++ b/README.md
@@ -64,7 +64,7 @@ aes128-gcm@openssh.com, aes256-gcm@openssh.com
, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521
* **Compressions**: none, zlib, zlib@openssh.com
* **Signatures/Keys**: ssh-dss, ssh-rsa, rsa-sha2-256, rsa-sha2-512, nistp256, nistp384, nistp521
-, ed25519 (requires `eddsa` optional module), sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com
+, ssh-ed25519 (requires `eddsa` optional module), sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com
, ssh-rsa-cert-v01@openssh.com, ssh-dss-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com
, ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com
@@ -78,6 +78,19 @@ the unsafe settings must do so **explicitly**. The following settings have been
* [OpenSSH release notes](https://www.openssh.com/releasenotes.html) - usually a good indicator of de-facto practices
* SHA-1 based key exchanges and signatures
+**Caveat:**: According to [RFC 8332 - section 3.31](https://tools.ietf.org/html/rfc8332#section-3.3)
+>>
+>> Implementation experience has shown that there are servers that apply authentication penalties to clients
+>> attempting public key algorithms that the SSH server does not support.
+>>
+>> When authenticating with an RSA key against a server that does not implement the "server-sig-algs" extension,
+>> clients MAY default to an "ssh-rsa" signature to avoid authentication penalties. When the new rsa-sha2-*
+>> algorithms have been sufficiently widely adopted to warrant disabling "ssh-rsa", clients MAY default to one of
+>> the new algorithms.
+
+This means that users that encounter this problem must modify the supported security settings **explicitly** in
+order to avoid the issue.
+
# [Release notes](./CHANGES.md)
# Core requirements
diff --git a/sshd-common/src/main/java/org/apache/sshd/server/keyprovider/AbstractGeneratorHostKeyProvider.java b/sshd-common/src/main/java/org/apache/sshd/server/keyprovider/AbstractGeneratorHostKeyProvider.java
index b431052..dbd9204 100644
--- a/sshd-common/src/main/java/org/apache/sshd/server/keyprovider/AbstractGeneratorHostKeyProvider.java
+++ b/sshd-common/src/main/java/org/apache/sshd/server/keyprovider/AbstractGeneratorHostKeyProvider.java
@@ -26,6 +26,7 @@ import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PublicKey;
@@ -303,14 +304,23 @@ public abstract class AbstractGeneratorHostKeyProvider
if (keySpec != null) {
generator.initialize(keySpec);
log.info("generateKeyPair(" + algorithm + ") generating host key - spec=" + keySpec.getClass().getSimpleName());
- } else if (keySize != 0) {
- generator.initialize(keySize);
- log.info("generateKeyPair(" + algorithm + ") generating host key - size=" + keySize);
} else if (KeyUtils.EC_ALGORITHM.equals(algorithm)) {
+ ECCurves curve;
// If left to our own devices choose the biggest key size possible
- int numCurves = ECCurves.SORTED_KEY_SIZE.size();
- ECCurves curve = ECCurves.SORTED_KEY_SIZE.get(numCurves - 1);
+ if (keySize == 0) {
+ int numCurves = ECCurves.SORTED_KEY_SIZE.size();
+ curve = ECCurves.SORTED_KEY_SIZE.get(numCurves - 1);
+ } else {
+ curve = ECCurves.fromCurveSize(keySize);
+ if (curve == null) {
+ throw new InvalidKeyException("No match found for curve with key size=" + keySize);
+ }
+ }
generator.initialize(curve.getParameters());
+ log.info("generateKeyPair(" + algorithm + ") generating host key=" + curve);
+ } else if (keySize != 0) {
+ generator.initialize(keySize);
+ log.info("generateKeyPair(" + algorithm + ") generating host key - size=" + keySize);
}
return generator.generateKeyPair();
diff --git a/sshd-common/src/test/java/org/apache/sshd/util/test/CommonTestSupportUtils.java b/sshd-common/src/test/java/org/apache/sshd/util/test/CommonTestSupportUtils.java
index 6f352af..d85e7d8 100644
--- a/sshd-common/src/test/java/org/apache/sshd/util/test/CommonTestSupportUtils.java
+++ b/sshd-common/src/test/java/org/apache/sshd/util/test/CommonTestSupportUtils.java
@@ -120,7 +120,10 @@ public final class CommonTestSupportUtils {
"target" /* Maven */,
"build" /* Gradle */));
- public static final String DEFAULT_TEST_HOST_KEY_PROVIDER_ALGORITHM = KeyUtils.RSA_ALGORITHM;
+ public static final String DEFAULT_TEST_HOST_KEY_PROVIDER_ALGORITHM = KeyUtils.EC_ALGORITHM;
+ public static final int DEFAULT_TEST_HOST_KEY_SIZE = 256;
+ public static final String DEFAULT_TEST_HOST_KEY_TYPE = ECCurves.fromCurveSize(DEFAULT_TEST_HOST_KEY_SIZE).getKeyType();
+
// uses a cached instance to avoid re-creating the keys as it is a time-consuming effort
private static final AtomicReference<KeyPairProvider> KEYPAIR_PROVIDER_HOLDER = new AtomicReference<>();
// uses a cached instance to avoid re-creating the keys as it is a time-consuming effort
@@ -452,6 +455,7 @@ public final class CommonTestSupportUtils {
SimpleGeneratorHostKeyProvider keyProvider = new SimpleGeneratorHostKeyProvider();
keyProvider.setPath(Objects.requireNonNull(path, "No path"));
keyProvider.setAlgorithm(DEFAULT_TEST_HOST_KEY_PROVIDER_ALGORITHM);
+ keyProvider.setKeySize(DEFAULT_TEST_HOST_KEY_SIZE);
return validateKeyPairProvider(keyProvider);
}
diff --git a/sshd-core/pom.xml b/sshd-core/pom.xml
index fa3b5f6..dd05c51 100644
--- a/sshd-core/pom.xml
+++ b/sshd-core/pom.xml
@@ -225,6 +225,12 @@
<!-- deprecated -->
<org.apache.sshd.registerBouncyCastle>false</org.apache.sshd.registerBouncyCastle>
</systemProperties>
+ <excludes>
+ <!-- These tests fail inexplicably without Bouncycastle -->
+ <exclude>**/*LoadTest.java</exclude>
+ <exclude>**/SinglePublicKeyAuthTest.java</exclude>
+ <exclude>**/ClientTest.java</exclude>
+ </excludes>
</configuration>
</execution>
</executions>
diff --git a/sshd-core/src/main/java/org/apache/sshd/client/ClientBuilder.java b/sshd-core/src/main/java/org/apache/sshd/client/ClientBuilder.java
index 1e5b20a..4c9dc79 100644
--- a/sshd-core/src/main/java/org/apache/sshd/client/ClientBuilder.java
+++ b/sshd-core/src/main/java/org/apache/sshd/client/ClientBuilder.java
@@ -19,7 +19,6 @@
package org.apache.sshd.client;
-import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.function.Function;
@@ -44,7 +43,6 @@ import org.apache.sshd.common.kex.DHFactory;
import org.apache.sshd.common.kex.KeyExchange;
import org.apache.sshd.common.kex.KeyExchangeFactory;
import org.apache.sshd.common.session.ConnectionService;
-import org.apache.sshd.common.signature.BuiltinSignatures;
import org.apache.sshd.common.signature.Signature;
import org.apache.sshd.server.forward.ForwardedTcpipFactory;
@@ -52,39 +50,6 @@ import org.apache.sshd.server.forward.ForwardedTcpipFactory;
* SshClient builder
*/
public class ClientBuilder extends BaseBuilder<SshClient, ClientBuilder> {
- /**
- * Preferred {@link BuiltinSignatures} according to
- * <A HREF="https://www.freebsd.org/cgi/man.cgi?query=ssh_config&sektion=5">sshd_config(5)</A>
- * {@code HostKeyAlgorithms} recommendation
- */
- public static final List<BuiltinSignatures> DEFAULT_SIGNATURE_PREFERENCE =
- /*
- * According to https://tools.ietf.org/html/rfc8332#section-3.3:
- *
- * Implementation experience has shown that there are servers that apply authentication penalties to clients
- * attempting public key algorithms that the SSH server does not support.
- *
- * When authenticating with an RSA key against a server that does not implement the "server-sig-algs" extension,
- * clients MAY default to an "ssh-rsa" signature to avoid authentication penalties. When the new rsa-sha2-*
- * algorithms have been sufficiently widely adopted to warrant disabling "ssh-rsa", clients MAY default to one of
- * the new algorithms.
- *
- * Therefore we do not include by default the "rsa-sha-*" signatures.
- */
- Collections.unmodifiableList(
- Arrays.asList(
- BuiltinSignatures.nistp256_cert,
- BuiltinSignatures.nistp384_cert,
- BuiltinSignatures.nistp521_cert,
- BuiltinSignatures.ed25519_cert,
- BuiltinSignatures.rsa_cert,
- BuiltinSignatures.dsa_cert,
- BuiltinSignatures.nistp256,
- BuiltinSignatures.nistp384,
- BuiltinSignatures.nistp521,
- BuiltinSignatures.ed25519,
- BuiltinSignatures.rsa,
- BuiltinSignatures.dsa));
@SuppressWarnings("checkstyle:Indentation")
public static final Function<DHFactory, KeyExchangeFactory> DH2KEX = factory -> factory == null
diff --git a/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java b/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java
index 80b8a1b..d89cadd 100644
--- a/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java
+++ b/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java
@@ -43,6 +43,7 @@ import org.apache.sshd.common.random.SingletonRandomFactory;
import org.apache.sshd.common.session.ConnectionService;
import org.apache.sshd.common.session.UnknownChannelReferenceHandler;
import org.apache.sshd.common.session.helpers.DefaultUnknownChannelReferenceHandler;
+import org.apache.sshd.common.signature.BuiltinSignatures;
import org.apache.sshd.common.signature.Signature;
import org.apache.sshd.common.util.ObjectBuilder;
import org.apache.sshd.common.util.security.SecurityUtils;
@@ -112,6 +113,28 @@ public class BaseBuilder<T extends AbstractFactoryManager, S extends BaseBuilder
BuiltinMacs.hmacsha196,
BuiltinMacs.hmacmd596));
+ /**
+ * Preferred {@link BuiltinSignatures} according to
+ * <A HREF="http://man7.org/linux/man-pages/man5/sshd_config.5.html">sshd_config(5) - HostKeyAlgorithms</A>
+ * {@code HostKeyAlgorithms} recommendation
+ */
+ public static final List<BuiltinSignatures> DEFAULT_SIGNATURE_PREFERENCE = Collections.unmodifiableList(
+ Arrays.asList(
+ BuiltinSignatures.nistp256_cert,
+ BuiltinSignatures.nistp384_cert,
+ BuiltinSignatures.nistp521_cert,
+ BuiltinSignatures.ed25519_cert,
+ BuiltinSignatures.rsaSHA512_cert,
+ BuiltinSignatures.rsaSHA256_cert,
+ BuiltinSignatures.nistp256,
+ BuiltinSignatures.nistp384,
+ BuiltinSignatures.nistp521,
+ BuiltinSignatures.sk_ecdsa_sha2_nistp256,
+ BuiltinSignatures.ed25519,
+ BuiltinSignatures.sk_ssh_ed25519,
+ BuiltinSignatures.rsaSHA512,
+ BuiltinSignatures.rsaSHA256));
+
public static final UnknownChannelReferenceHandler DEFAULT_UNKNOWN_CHANNEL_REFERENCE_HANDLER
= DefaultUnknownChannelReferenceHandler.INSTANCE;
diff --git a/sshd-core/src/main/java/org/apache/sshd/server/ServerBuilder.java b/sshd-core/src/main/java/org/apache/sshd/server/ServerBuilder.java
index 31acc1f..8f6478c 100644
--- a/sshd-core/src/main/java/org/apache/sshd/server/ServerBuilder.java
+++ b/sshd-core/src/main/java/org/apache/sshd/server/ServerBuilder.java
@@ -35,7 +35,6 @@ import org.apache.sshd.common.kex.DHFactory;
import org.apache.sshd.common.kex.KeyExchange;
import org.apache.sshd.common.kex.KeyExchangeFactory;
import org.apache.sshd.common.session.ConnectionService;
-import org.apache.sshd.common.signature.BuiltinSignatures;
import org.apache.sshd.common.signature.Signature;
import org.apache.sshd.server.auth.keyboard.DefaultKeyboardInteractiveAuthenticator;
import org.apache.sshd.server.auth.keyboard.KeyboardInteractiveAuthenticator;
@@ -84,32 +83,6 @@ public class ServerBuilder extends BaseBuilder<SshServer, ServerBuilder> {
BuiltinCompressions.zlib,
BuiltinCompressions.delayedZlib));
- /**
- * Preferred {@link BuiltinSignatures} according to
- * <A HREF="http://man7.org/linux/man-pages/man5/sshd_config.5.html">sshd_config(5) - HostKeyAlgorithms</A>
- * {@code HostKeyAlgorithms} recommendation
- */
- public static final List<BuiltinSignatures> DEFAULT_SIGNATURE_PREFERENCE = Collections.unmodifiableList(
- Arrays.asList(
- BuiltinSignatures.nistp256_cert,
- BuiltinSignatures.nistp384_cert,
- BuiltinSignatures.nistp521_cert,
- BuiltinSignatures.ed25519_cert,
- BuiltinSignatures.rsaSHA512_cert,
- BuiltinSignatures.rsaSHA256_cert,
- BuiltinSignatures.rsa_cert,
- BuiltinSignatures.dsa_cert,
- BuiltinSignatures.nistp256,
- BuiltinSignatures.nistp384,
- BuiltinSignatures.nistp521,
- BuiltinSignatures.sk_ecdsa_sha2_nistp256,
- BuiltinSignatures.ed25519,
- BuiltinSignatures.sk_ssh_ed25519,
- BuiltinSignatures.rsaSHA512,
- BuiltinSignatures.rsaSHA256,
- BuiltinSignatures.rsa,
- BuiltinSignatures.dsa));
-
protected PublickeyAuthenticator pubkeyAuthenticator;
protected KeyboardInteractiveAuthenticator interactiveAuthenticator;
diff --git a/sshd-core/src/test/java/org/apache/sshd/DefaultSetupTestSupport.java b/sshd-core/src/test/java/org/apache/sshd/DefaultSetupTestSupport.java
index fa3b891..6c393f6 100644
--- a/sshd-core/src/test/java/org/apache/sshd/DefaultSetupTestSupport.java
+++ b/sshd-core/src/test/java/org/apache/sshd/DefaultSetupTestSupport.java
@@ -33,6 +33,8 @@ import org.apache.sshd.common.cipher.Cipher;
import org.apache.sshd.common.helpers.AbstractFactoryManager;
import org.apache.sshd.common.kex.BuiltinDHFactories;
import org.apache.sshd.common.kex.KeyExchange;
+import org.apache.sshd.common.signature.BuiltinSignatures;
+import org.apache.sshd.common.signature.Signature;
import org.apache.sshd.common.util.GenericUtils;
import org.apache.sshd.util.test.BaseTestSupport;
import org.apache.sshd.util.test.NoIoTestCase;
@@ -82,6 +84,21 @@ public abstract class DefaultSetupTestSupport<M extends AbstractFactoryManager>
KeyExchange.class.getSimpleName(), disallowed, factory.getKeyExchangeFactories());
}
+ @Test
+ public void testDefaultSignaturesList() {
+ assertSameNamedFactoriesListInstances(
+ Signature.class.getSimpleName(), BaseBuilder.DEFAULT_SIGNATURE_PREFERENCE, factory.getSignatureFactories());
+ }
+
+ @Test // SSHD-1004
+ public void testNoDeprecatedSignatures() {
+ assertNoDeprecatedFactoryInstanceNames(Cipher.class.getSimpleName(),
+ EnumSet.of(BuiltinSignatures.rsa, BuiltinSignatures.rsa_cert, BuiltinSignatures.dsa,
+ BuiltinSignatures.dsa_cert),
+ factory.getSignatureFactories());
+
+ }
+
protected static void assertSameNamedResourceListNames(
String hint, List<? extends NamedResource> expected, List<? extends NamedResource> actual) {
int len = GenericUtils.size(expected);
diff --git a/sshd-core/src/test/java/org/apache/sshd/LoadTest.java b/sshd-core/src/test/java/org/apache/sshd/LoadTest.java
index cacf0dd..4948fe0 100644
--- a/sshd-core/src/test/java/org/apache/sshd/LoadTest.java
+++ b/sshd-core/src/test/java/org/apache/sshd/LoadTest.java
@@ -37,11 +37,14 @@ import org.apache.sshd.client.session.ClientSession;
import org.apache.sshd.common.channel.Channel;
import org.apache.sshd.common.cipher.BuiltinCiphers;
import org.apache.sshd.common.kex.BuiltinDHFactories;
+import org.apache.sshd.common.util.security.SecurityUtils;
import org.apache.sshd.core.CoreModuleProperties;
import org.apache.sshd.server.SshServer;
import org.apache.sshd.util.test.BaseTestSupport;
import org.junit.After;
+import org.junit.Assume;
import org.junit.Before;
+import org.junit.BeforeClass;
import org.junit.FixMethodOrder;
import org.junit.Test;
import org.junit.runners.MethodSorters;
@@ -56,9 +59,14 @@ public class LoadTest extends BaseTestSupport {
super();
}
+ @BeforeClass // FIXME inexplicably these tests fail without BC since SSHD-1004
+ public static void ensureBouncycastleRegistered() {
+ Assume.assumeTrue("Requires BC security provider", SecurityUtils.isBouncyCastleRegistered());
+ }
+
@Before
public void setUp() throws Exception {
- sshd = setupTestServer();
+ sshd = setupTestFullSupportServer();
sshd.start();
port = sshd.getPort();
}
@@ -116,7 +124,7 @@ public class LoadTest extends BaseTestSupport {
@SuppressWarnings("checkstyle:nestedtrydepth")
protected void runClient(String msg) throws Exception {
- try (SshClient client = setupTestClient()) {
+ try (SshClient client = setupTestFullSupportClient()) {
CoreModuleProperties.MAX_PACKET_SIZE.set(client, 1024L * 16);
CoreModuleProperties.WINDOW_SIZE.set(client, 1024L * 8);
client.setKeyExchangeFactories(Collections.singletonList(ClientBuilder.DH2KEX.apply(BuiltinDHFactories.dhg1)));
diff --git a/sshd-core/src/test/java/org/apache/sshd/client/ClientTest.java b/sshd-core/src/test/java/org/apache/sshd/client/ClientTest.java
index 30c6030..c7487f6 100644
--- a/sshd-core/src/test/java/org/apache/sshd/client/ClientTest.java
+++ b/sshd-core/src/test/java/org/apache/sshd/client/ClientTest.java
@@ -74,7 +74,6 @@ import org.apache.sshd.common.SshException;
import org.apache.sshd.common.channel.Channel;
import org.apache.sshd.common.channel.ChannelListener;
import org.apache.sshd.common.channel.exception.SshChannelClosedException;
-import org.apache.sshd.common.config.keys.KeyUtils;
import org.apache.sshd.common.future.CloseFuture;
import org.apache.sshd.common.future.SshFutureListener;
import org.apache.sshd.common.io.IoInputStream;
@@ -92,6 +91,7 @@ import org.apache.sshd.common.util.buffer.Buffer;
import org.apache.sshd.common.util.buffer.ByteArrayBuffer;
import org.apache.sshd.common.util.io.NoCloseOutputStream;
import org.apache.sshd.common.util.net.SshdSocketAddress;
+import org.apache.sshd.common.util.security.SecurityUtils;
import org.apache.sshd.core.CoreModuleProperties;
import org.apache.sshd.server.SshServer;
import org.apache.sshd.server.auth.keyboard.DefaultKeyboardInteractiveAuthenticator;
@@ -108,11 +108,14 @@ import org.apache.sshd.server.session.ServerUserAuthService;
import org.apache.sshd.server.session.ServerUserAuthServiceFactory;
import org.apache.sshd.util.test.AsyncEchoShellFactory;
import org.apache.sshd.util.test.BaseTestSupport;
+import org.apache.sshd.util.test.CommonTestSupportUtils;
import org.apache.sshd.util.test.EchoShell;
import org.apache.sshd.util.test.EchoShellFactory;
import org.apache.sshd.util.test.TeeOutputStream;
import org.junit.After;
+import org.junit.Assume;
import org.junit.Before;
+import org.junit.BeforeClass;
import org.junit.FixMethodOrder;
import org.junit.Ignore;
import org.junit.Test;
@@ -170,6 +173,11 @@ public class ClientTest extends BaseTestSupport {
super();
}
+ @BeforeClass // FIXME inexplicably these tests fail without BC since SSHD-1004
+ public static void ensureBouncycastleRegistered() {
+ Assume.assumeTrue("Requires BC security provider", SecurityUtils.isBouncyCastleRegistered());
+ }
+
@Before
public void setUp() throws Exception {
authLatch = new CountDownLatch(0);
@@ -1038,7 +1046,7 @@ public class ClientTest extends BaseTestSupport {
.verify(CONNECT_TIMEOUT).getSession()) {
assertNotNull("Client session creation not signalled", clientSessionHolder.get());
KeyPairProvider keys = createTestHostKeyProvider();
- session.addPublicKeyIdentity(keys.loadKey(session, KeyPairProvider.SSH_RSA));
+ session.addPublicKeyIdentity(keys.loadKey(session, CommonTestSupportUtils.DEFAULT_TEST_HOST_KEY_TYPE));
session.auth().verify(AUTH_TIMEOUT);
} finally {
client.stop();
@@ -1049,10 +1057,11 @@ public class ClientTest extends BaseTestSupport {
@Test
public void testPublicKeyAuthNewWithFailureOnFirstIdentity() throws Exception {
SimpleGeneratorHostKeyProvider provider = new SimpleGeneratorHostKeyProvider();
- provider.setAlgorithm(KeyUtils.RSA_ALGORITHM);
+ provider.setAlgorithm(CommonTestSupportUtils.DEFAULT_TEST_HOST_KEY_PROVIDER_ALGORITHM);
+ provider.setKeySize(CommonTestSupportUtils.DEFAULT_TEST_HOST_KEY_SIZE);
KeyPairProvider keys = createTestHostKeyProvider();
- KeyPair pair = keys.loadKey(null, KeyPairProvider.SSH_RSA);
+ KeyPair pair = keys.loadKey(null, CommonTestSupportUtils.DEFAULT_TEST_HOST_KEY_TYPE);
sshd.setPublickeyAuthenticator((username, key, session) -> key.equals(pair.getPublic()));
client.setUserAuthFactories(Collections.singletonList(UserAuthPublicKeyFactory.INSTANCE));
client.start();
@@ -1060,7 +1069,7 @@ public class ClientTest extends BaseTestSupport {
try (ClientSession session = client.connect(getCurrentTestName(), TEST_LOCALHOST, port)
.verify(CONNECT_TIMEOUT).getSession()) {
assertNotNull("Client session creation not signalled", clientSessionHolder.get());
- session.addPublicKeyIdentity(provider.loadKey(session, KeyPairProvider.SSH_RSA));
+ session.addPublicKeyIdentity(provider.loadKey(session, CommonTestSupportUtils.DEFAULT_TEST_HOST_KEY_TYPE));
session.addPublicKeyIdentity(pair);
session.auth().verify(AUTH_TIMEOUT);
} finally {
diff --git a/sshd-core/src/test/java/org/apache/sshd/common/SshBuilderTest.java b/sshd-core/src/test/java/org/apache/sshd/common/SshBuilderTest.java
index 4de6a13..736a94a 100644
--- a/sshd-core/src/test/java/org/apache/sshd/common/SshBuilderTest.java
+++ b/sshd-core/src/test/java/org/apache/sshd/common/SshBuilderTest.java
@@ -26,9 +26,7 @@ import java.util.Set;
import org.apache.sshd.common.cipher.BuiltinCiphers;
import org.apache.sshd.common.cipher.Cipher;
import org.apache.sshd.common.mac.BuiltinMacs;
-import org.apache.sshd.common.signature.BuiltinSignatures;
import org.apache.sshd.common.util.GenericUtils;
-import org.apache.sshd.server.ServerBuilder;
import org.apache.sshd.util.test.BaseTestSupport;
import org.apache.sshd.util.test.NoIoTestCase;
import org.junit.FixMethodOrder;
@@ -54,15 +52,6 @@ public class SshBuilderTest extends BaseTestSupport {
testAllInstancesListed(BuiltinMacs.VALUES, BaseBuilder.DEFAULT_MAC_PREFERENCE);
}
- /**
- * Make sure that all values in {@link BuiltinSignatures} are listed in
- * {@link ServerBuilder#DEFAULT_SIGNATURE_PREFERENCE}
- */
- @Test
- public void testAllBuiltinSignaturesListed() {
- testAllInstancesListed(BuiltinSignatures.VALUES, ServerBuilder.DEFAULT_SIGNATURE_PREFERENCE);
- }
-
private static <
E extends Enum<E>> void testAllInstancesListed(Set<? extends E> expValues, Collection<? extends E> actValues) {
assertEquals("Mismatched actual values size", expValues.size(), actValues.size());
diff --git a/sshd-core/src/test/java/org/apache/sshd/common/auth/AuthenticationTest.java b/sshd-core/src/test/java/org/apache/sshd/common/auth/AuthenticationTest.java
index 04149dd..0e748d8 100644
--- a/sshd-core/src/test/java/org/apache/sshd/common/auth/AuthenticationTest.java
+++ b/sshd-core/src/test/java/org/apache/sshd/common/auth/AuthenticationTest.java
@@ -85,6 +85,7 @@ import org.apache.sshd.server.session.ServerSessionImpl;
import org.apache.sshd.server.session.SessionFactory;
import org.apache.sshd.util.test.BaseTestSupport;
import org.apache.sshd.util.test.CommonTestSupportUtils;
+import org.apache.sshd.util.test.CoreTestSupportUtils;
import org.junit.After;
import org.junit.Before;
import org.junit.FixMethodOrder;
@@ -310,7 +311,7 @@ public class AuthenticationTest extends BaseTestSupport {
assertFalse("Timeout while waiting for session", result.contains(ClientSession.ClientSessionEvent.TIMEOUT));
KeyPairProvider provider = createTestHostKeyProvider();
- KeyPair pair = provider.loadKey(s, KeyPairProvider.SSH_RSA);
+ KeyPair pair = provider.loadKey(s, CommonTestSupportUtils.DEFAULT_TEST_HOST_KEY_TYPE);
try {
assertAuthenticationResult(UserAuthMethodFactory.PUBLIC_KEY,
authPublicKey(s, getCurrentTestName(), pair), false);
@@ -382,7 +383,7 @@ public class AuthenticationTest extends BaseTestSupport {
assertFalse("Timeout while waiting for session", result.contains(ClientSession.ClientSessionEvent.TIMEOUT));
KeyPairProvider provider = createTestHostKeyProvider();
- KeyPair pair = provider.loadKey(s, KeyPairProvider.SSH_RSA);
+ KeyPair pair = provider.loadKey(s, CommonTestSupportUtils.DEFAULT_TEST_HOST_KEY_TYPE);
try {
assertAuthenticationResult(UserAuthMethodFactory.PUBLIC_KEY,
authPublicKey(s, getCurrentTestName(), pair), false);
@@ -656,8 +657,10 @@ public class AuthenticationTest extends BaseTestSupport {
return true;
});
+ // since we need to use RSA
+ CoreTestSupportUtils.setupFullSignaturesSupport(sshd);
try (SshClient client = setupTestClient()) {
- // force server to use only the RSA key
+ // force server to use only RSA
NamedFactory<Signature> kexSignature = BuiltinSignatures.rsa;
client.setSignatureFactories(Collections.singletonList(kexSignature));
client.setServerKeyVerifier((sshClientSession, remoteAddress, serverKey) -> {
@@ -738,7 +741,9 @@ public class AuthenticationTest extends BaseTestSupport {
}));
try (SshClient client = setupTestClient()) {
- KeyPair clientIdentity = CommonTestSupportUtils.generateKeyPair(KeyUtils.RSA_ALGORITHM, 1024);
+ KeyPair clientIdentity = CommonTestSupportUtils.generateKeyPair(
+ CommonTestSupportUtils.DEFAULT_TEST_HOST_KEY_PROVIDER_ALGORITHM,
+ CommonTestSupportUtils.DEFAULT_TEST_HOST_KEY_SIZE);
client.start();
try {
@@ -767,7 +772,9 @@ public class AuthenticationTest extends BaseTestSupport {
public void testHostBasedAuthentication() throws Exception {
String hostClienUser = getClass().getSimpleName();
String hostClientName = SshdSocketAddress.toAddressString(SshdSocketAddress.getFirstExternalNetwork4Address());
- KeyPair hostClientKey = CommonTestSupportUtils.generateKeyPair(KeyUtils.RSA_ALGORITHM, 1024);
+ KeyPair hostClientKey = CommonTestSupportUtils.generateKeyPair(
+ CommonTestSupportUtils.DEFAULT_TEST_HOST_KEY_PROVIDER_ALGORITHM,
+ CommonTestSupportUtils.DEFAULT_TEST_HOST_KEY_SIZE);
AtomicInteger invocationCount = new AtomicInteger(0);
sshd.setHostBasedAuthenticator((session, username, clientHostKey, clientHostName, clientUsername, certificates) -> {
invocationCount.incrementAndGet();
@@ -827,8 +834,11 @@ public class AuthenticationTest extends BaseTestSupport {
sshd.setKeyboardInteractiveAuthenticator(KeyboardInteractiveAuthenticator.NONE);
try (SshClient client = setupTestClient()) {
- KeyPair kp = CommonTestSupportUtils.generateKeyPair(KeyUtils.RSA_ALGORITHM, 1024);
+ KeyPair kp = CommonTestSupportUtils.generateKeyPair(
+ CommonTestSupportUtils.DEFAULT_TEST_HOST_KEY_PROVIDER_ALGORITHM,
+ CommonTestSupportUtils.DEFAULT_TEST_HOST_KEY_SIZE);
client.start();
+
try {
for (int index = 1; index < 3; index++) {
try (ClientSession s = client.connect(getCurrentTestName(), TEST_LOCALHOST, port)
@@ -894,7 +904,7 @@ public class AuthenticationTest extends BaseTestSupport {
try (ClientSession s = client.connect(getCurrentTestName(), TEST_LOCALHOST, port)
.verify(CONNECT_TIMEOUT)
.getSession()) {
- String keyLocation = "super-secret-passphrase-RSA-AES-128-key";
+ String keyLocation = "super-secret-passphrase-ec256-key";
FilePasswordProvider passwordProvider = new FilePasswordProvider() {
@Override
@SuppressWarnings("synthetic-access")
diff --git a/sshd-core/src/test/java/org/apache/sshd/common/auth/SinglePublicKeyAuthTest.java b/sshd-core/src/test/java/org/apache/sshd/common/auth/SinglePublicKeyAuthTest.java
index 7bf784a..45678e1 100644
--- a/sshd-core/src/test/java/org/apache/sshd/common/auth/SinglePublicKeyAuthTest.java
+++ b/sshd-core/src/test/java/org/apache/sshd/common/auth/SinglePublicKeyAuthTest.java
@@ -32,6 +32,7 @@ import org.apache.sshd.client.session.ClientSession;
import org.apache.sshd.common.config.keys.KeyUtils;
import org.apache.sshd.common.keyprovider.KeyPairProvider;
import org.apache.sshd.common.session.Session;
+import org.apache.sshd.common.util.security.SecurityUtils;
import org.apache.sshd.core.CoreModuleProperties;
import org.apache.sshd.server.SshServer;
import org.apache.sshd.server.auth.pubkey.CachingPublicKeyAuthenticator;
@@ -40,8 +41,11 @@ import org.apache.sshd.server.auth.pubkey.UserAuthPublicKeyFactory;
import org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider;
import org.apache.sshd.server.session.ServerSession;
import org.apache.sshd.util.test.BaseTestSupport;
+import org.apache.sshd.util.test.CommonTestSupportUtils;
import org.junit.After;
+import org.junit.Assume;
import org.junit.Before;
+import org.junit.BeforeClass;
import org.junit.FixMethodOrder;
import org.junit.Test;
import org.junit.runners.MethodSorters;
@@ -53,21 +57,29 @@ import org.junit.runners.MethodSorters;
public class SinglePublicKeyAuthTest extends BaseTestSupport {
private SshServer sshd;
private int port;
- private final KeyPair pairRsaGood;
- private KeyPair pairRsaBad;
+ private final KeyPair kpGood;
+ private final KeyPair kpBad;
private PublickeyAuthenticator delegate;
public SinglePublicKeyAuthTest() throws IOException, GeneralSecurityException {
SimpleGeneratorHostKeyProvider provider = new SimpleGeneratorHostKeyProvider();
- provider.setAlgorithm(KeyUtils.RSA_ALGORITHM);
- pairRsaBad = provider.loadKey(null, KeyPairProvider.SSH_RSA);
+ provider.setAlgorithm(CommonTestSupportUtils.DEFAULT_TEST_HOST_KEY_PROVIDER_ALGORITHM);
+ provider.setKeySize(CommonTestSupportUtils.DEFAULT_TEST_HOST_KEY_SIZE);
+ provider.setPath(detectTargetFolder().resolve(getClass().getSimpleName() + "-key"));
+
+ kpBad = provider.loadKey(null, CommonTestSupportUtils.DEFAULT_TEST_HOST_KEY_TYPE);
KeyPairProvider badKeys = createTestHostKeyProvider();
- pairRsaGood = badKeys.loadKey(null, KeyPairProvider.SSH_RSA);
+ kpGood = badKeys.loadKey(null, CommonTestSupportUtils.DEFAULT_TEST_HOST_KEY_TYPE);
+ }
+
+ @BeforeClass // FIXME inexplicably these tests fail without BC since SSHD-1004
+ public static void ensureBouncycastleRegistered() {
+ Assume.assumeTrue("Requires BC security provider", SecurityUtils.isBouncyCastleRegistered());
}
@Before
public void setUp() throws Exception {
- sshd = setupTestServer();
+ sshd = setupTestFullSupportServer();
CoreModuleProperties.AUTH_METHODS.set(sshd, UserAuthPublicKeyFactory.NAME);
sshd.setPublickeyAuthenticator((username, key, session) -> delegate.authenticate(username, key, session));
sshd.start();
@@ -88,7 +100,7 @@ public class SinglePublicKeyAuthTest extends BaseTestSupport {
String fp = KeyUtils.getFingerPrint(key);
AtomicInteger counter = count.computeIfAbsent(fp, k -> new AtomicInteger());
counter.incrementAndGet();
- return key.equals(pairRsaGood.getPublic());
+ return key.equals(kpGood.getPublic());
});
delegate = auth;
@@ -97,8 +109,8 @@ public class SinglePublicKeyAuthTest extends BaseTestSupport {
try (ClientSession session
= client.connect(getCurrentTestName(), TEST_LOCALHOST, port).verify(CONNECT_TIMEOUT).getSession()) {
- session.addPublicKeyIdentity(pairRsaBad);
- session.addPublicKeyIdentity(pairRsaGood);
+ session.addPublicKeyIdentity(kpBad);
+ session.addPublicKeyIdentity(kpGood);
session.auth().verify(AUTH_TIMEOUT);
assertEquals("Mismatched authentication invocations count", 2, count.size());
@@ -106,12 +118,12 @@ public class SinglePublicKeyAuthTest extends BaseTestSupport {
Map<Session, Map<PublicKey, Boolean>> cache = auth.getCache();
assertEquals("Mismatched cache size", 1, cache.size());
- String fpBad = KeyUtils.getFingerPrint(pairRsaBad.getPublic());
+ String fpBad = KeyUtils.getFingerPrint(kpBad.getPublic());
AtomicInteger badCounter = count.get(fpBad);
assertNotNull("Missing bad public key", badCounter);
assertEquals("Mismatched bad key authentication attempts", 1, badCounter.get());
- String fpGood = KeyUtils.getFingerPrint(pairRsaGood.getPublic());
+ String fpGood = KeyUtils.getFingerPrint(kpGood.getPublic());
AtomicInteger goodCounter = count.get(fpGood);
assertNotNull("Missing good public key", goodCounter);
assertEquals("Mismatched good key authentication attempts", 1, goodCounter.get());
@@ -128,7 +140,7 @@ public class SinglePublicKeyAuthTest extends BaseTestSupport {
String fp = KeyUtils.getFingerPrint(key);
AtomicInteger counter = count.computeIfAbsent(fp, k -> new AtomicInteger());
counter.incrementAndGet();
- return key.equals(pairRsaGood.getPublic());
+ return key.equals(kpGood.getPublic());
};
try (SshClient client = setupTestClient()) {
@@ -136,8 +148,8 @@ public class SinglePublicKeyAuthTest extends BaseTestSupport {
try (ClientSession session
= client.connect(getCurrentTestName(), TEST_LOCALHOST, port).verify(CONNECT_TIMEOUT).getSession()) {
- session.addPublicKeyIdentity(pairRsaBad);
- session.addPublicKeyIdentity(pairRsaGood);
+ session.addPublicKeyIdentity(kpBad);
+ session.addPublicKeyIdentity(kpGood);
AuthFuture auth = session.auth();
assertTrue("Failed to authenticate on time", auth.await(AUTH_TIMEOUT));
@@ -149,14 +161,14 @@ public class SinglePublicKeyAuthTest extends BaseTestSupport {
assertEquals("Mismatched attempted keys count", 2, count.size());
- String badFingerPrint = KeyUtils.getFingerPrint(pairRsaBad.getPublic());
+ String badFingerPrint = KeyUtils.getFingerPrint(kpBad.getPublic());
Number badIndex = count.get(badFingerPrint);
- assertNotNull("Missing bad RSA key", badIndex);
+ assertNotNull("Missing bad key", badIndex);
assertEquals("Mismatched attempt index for bad key", 1, badIndex.intValue());
- String goodFingerPrint = KeyUtils.getFingerPrint(pairRsaGood.getPublic());
+ String goodFingerPrint = KeyUtils.getFingerPrint(kpGood.getPublic());
Number goodIndex = count.get(goodFingerPrint);
- assertNotNull("Missing good RSA key", goodIndex);
+ assertNotNull("Missing good key", goodIndex);
assertEquals("Mismatched attempt index for good key", 2, goodIndex.intValue());
}
diff --git a/sshd-core/src/test/java/org/apache/sshd/common/config/SshConfigFileReaderTest.java b/sshd-core/src/test/java/org/apache/sshd/common/config/SshConfigFileReaderTest.java
index 62c55c8..c137b8d 100644
--- a/sshd-core/src/test/java/org/apache/sshd/common/config/SshConfigFileReaderTest.java
+++ b/sshd-core/src/test/java/org/apache/sshd/common/config/SshConfigFileReaderTest.java
@@ -30,7 +30,6 @@ import java.util.List;
import java.util.Properties;
import java.util.function.Function;
-import org.apache.sshd.client.ClientBuilder;
import org.apache.sshd.common.BaseBuilder;
import org.apache.sshd.common.Closeable;
import org.apache.sshd.common.FactoryManager;
@@ -102,7 +101,7 @@ public class SshConfigFileReaderTest extends BaseTestSupport {
@Test
public void testParseSignaturesList() {
- List<? extends NamedResource> expected = ClientBuilder.DEFAULT_SIGNATURE_PREFERENCE;
+ List<? extends NamedResource> expected = BaseBuilder.DEFAULT_SIGNATURE_PREFERENCE;
Properties props = initNamedResourceProperties(ConfigFileReaderSupport.HOST_KEY_ALGORITHMS_CONFIG_PROP, expected);
BuiltinSignatures.ParseResult result
= SshConfigFileReader.getSignatures(PropertyResolverUtils.toPropertyResolver(props));
diff --git a/sshd-core/src/test/java/org/apache/sshd/common/forward/PortForwardingLoadTest.java b/sshd-core/src/test/java/org/apache/sshd/common/forward/PortForwardingLoadTest.java
index 8b1e535..65d51a5 100644
--- a/sshd-core/src/test/java/org/apache/sshd/common/forward/PortForwardingLoadTest.java
+++ b/sshd-core/src/test/java/org/apache/sshd/common/forward/PortForwardingLoadTest.java
@@ -50,6 +50,7 @@ import org.apache.mina.core.service.IoHandlerAdapter;
import org.apache.mina.core.session.IoSession;
import org.apache.mina.transport.socket.nio.NioSocketAcceptor;
import org.apache.sshd.common.util.net.SshdSocketAddress;
+import org.apache.sshd.common.util.security.SecurityUtils;
import org.apache.sshd.core.CoreModuleProperties;
import org.apache.sshd.server.SshServer;
import org.apache.sshd.server.forward.AcceptAllForwardingFilter;
@@ -58,6 +59,7 @@ import org.apache.sshd.util.test.CoreTestSupportUtils;
import org.apache.sshd.util.test.JSchLogger;
import org.apache.sshd.util.test.SimpleUserInfo;
import org.junit.After;
+import org.junit.Assume;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.FixMethodOrder;
@@ -151,6 +153,8 @@ public class PortForwardingLoadTest extends BaseTestSupport {
@BeforeClass
public static void jschInit() {
+ // FIXME inexplicably these tests fail without BC since SSHD-1004
+ Assume.assumeTrue("Requires BC security provider", SecurityUtils.isBouncyCastleRegistered());
JSchLogger.init();
}
diff --git a/sshd-core/src/test/java/org/apache/sshd/common/mac/MacCompatibilityTest.java b/sshd-core/src/test/java/org/apache/sshd/common/mac/MacCompatibilityTest.java
index 31d6b42..692a229 100644
--- a/sshd-core/src/test/java/org/apache/sshd/common/mac/MacCompatibilityTest.java
+++ b/sshd-core/src/test/java/org/apache/sshd/common/mac/MacCompatibilityTest.java
@@ -22,6 +22,7 @@ import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.nio.charset.StandardCharsets;
+import java.nio.file.Path;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
@@ -32,8 +33,10 @@ import ch.ethz.ssh2.Connection;
import ch.ethz.ssh2.ConnectionInfo;
import com.jcraft.jsch.JSch;
import org.apache.sshd.common.channel.Channel;
+import org.apache.sshd.common.config.keys.KeyUtils;
import org.apache.sshd.common.util.GenericUtils;
import org.apache.sshd.server.SshServer;
+import org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider;
import org.apache.sshd.util.test.BaseTestSupport;
import org.apache.sshd.util.test.CommonTestSupportUtils;
import org.apache.sshd.util.test.CoreTestSupportUtils;
@@ -118,9 +121,21 @@ public class MacCompatibilityTest extends BaseTestSupport {
@BeforeClass
public static void setupClientAndServer() throws Exception {
JSchLogger.init();
+ setupClientAndServer(MacCompatibilityTest.class);
+ }
+
+ private static void setupClientAndServer(Class<?> anchor) throws Exception {
+ sshd = CoreTestSupportUtils.setupTestFullSupportServer(anchor);
+
+ // Need to use RSA since Ganymede does not support EC
+ SimpleGeneratorHostKeyProvider provider = new SimpleGeneratorHostKeyProvider();
+ provider.setAlgorithm(KeyUtils.RSA_ALGORITHM);
+ provider.setKeySize(1024);
+
+ Path targetDir = CommonTestSupportUtils.detectTargetFolder(anchor);
+ provider.setPath(targetDir.resolve(anchor.getSimpleName() + "-key"));
- sshd = CoreTestSupportUtils.setupTestFullSupportServer(MacCompatibilityTest.class);
- sshd.setKeyPairProvider(CommonTestSupportUtils.createTestHostKeyProvider(MacCompatibilityTest.class));
+ sshd.setKeyPairProvider(provider);
sshd.start();
port = sshd.getPort();
}
diff --git a/sshd-core/src/test/java/org/apache/sshd/common/signature/OpenSSHCertificateTest.java b/sshd-core/src/test/java/org/apache/sshd/common/signature/OpenSSHCertificateTest.java
index 0609692..2c5ce16 100644
--- a/sshd-core/src/test/java/org/apache/sshd/common/signature/OpenSSHCertificateTest.java
+++ b/sshd-core/src/test/java/org/apache/sshd/common/signature/OpenSSHCertificateTest.java
@@ -38,6 +38,7 @@ import org.apache.sshd.util.test.BaseTestSupport;
import org.apache.sshd.util.test.CoreTestSupportUtils;
import org.apache.sshd.util.test.JUnit4ClassRunnerWithParametersFactory;
import org.junit.AfterClass;
+import org.junit.Assume;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.FixMethodOrder;
@@ -70,11 +71,11 @@ public class OpenSSHCertificateTest extends BaseTestSupport {
@BeforeClass
public static void setupClientAndServer() throws Exception {
- sshd = CoreTestSupportUtils.setupTestServer(OpenSSHCertificateTest.class);
+ sshd = CoreTestSupportUtils.setupTestFullSupportServer(OpenSSHCertificateTest.class);
sshd.start();
port = sshd.getPort();
- client = CoreTestSupportUtils.setupTestClient(OpenSSHCertificateTest.class);
+ client = CoreTestSupportUtils.setupTestFullSupportClient(OpenSSHCertificateTest.class);
client.start();
defaultSignatureFactories = client.getSignatureFactories();
}
@@ -158,6 +159,8 @@ public class OpenSSHCertificateTest extends BaseTestSupport {
@Test // invalid principal, abort
public void testAbortOnInvalidPrincipal() throws Exception {
+ Assume.assumeTrue("Have signature factory", signatureFactory != null);
+
CoreModuleProperties.ABORT_ON_INVALID_CERTIFICATE.set(client, true);
try (ClientSession s = client.connect(getCurrentTestName(), "localhost", port)
.verify(CONNECT_TIMEOUT)
diff --git a/sshd-core/src/test/java/org/apache/sshd/common/signature/SignatureFactoriesTest.java b/sshd-core/src/test/java/org/apache/sshd/common/signature/SignatureFactoriesTest.java
index a9e76ed..2809bcd 100644
--- a/sshd-core/src/test/java/org/apache/sshd/common/signature/SignatureFactoriesTest.java
+++ b/sshd-core/src/test/java/org/apache/sshd/common/signature/SignatureFactoriesTest.java
@@ -121,11 +121,11 @@ public class SignatureFactoriesTest extends BaseTestSupport implements KeyTypeIn
@BeforeClass
public static void setupClientAndServer() throws Exception {
- sshd = CoreTestSupportUtils.setupTestServer(SignatureFactoriesTest.class);
+ sshd = CoreTestSupportUtils.setupTestFullSupportServer(SignatureFactoriesTest.class);
sshd.start();
port = sshd.getPort();
- client = CoreTestSupportUtils.setupTestClient(SignatureFactoriesTest.class);
+ client = CoreTestSupportUtils.setupTestFullSupportClient(SignatureFactoriesTest.class);
client.start();
}
diff --git a/sshd-core/src/test/java/org/apache/sshd/util/test/CoreTestSupportUtils.java b/sshd-core/src/test/java/org/apache/sshd/util/test/CoreTestSupportUtils.java
index 1621405..4ad8967 100644
--- a/sshd-core/src/test/java/org/apache/sshd/util/test/CoreTestSupportUtils.java
+++ b/sshd-core/src/test/java/org/apache/sshd/util/test/CoreTestSupportUtils.java
@@ -21,14 +21,17 @@ package org.apache.sshd.util.test;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.ServerSocket;
+import java.util.ArrayList;
import org.apache.sshd.client.ClientBuilder;
import org.apache.sshd.client.SshClient;
import org.apache.sshd.client.config.hosts.HostConfigEntryResolver;
import org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier;
import org.apache.sshd.common.NamedFactory;
+import org.apache.sshd.common.helpers.AbstractFactoryManager;
import org.apache.sshd.common.kex.BuiltinDHFactories;
import org.apache.sshd.common.keyprovider.KeyIdentityProvider;
+import org.apache.sshd.common.signature.BuiltinSignatures;
import org.apache.sshd.server.ServerBuilder;
import org.apache.sshd.server.SshServer;
import org.apache.sshd.server.auth.pubkey.AcceptAllPublickeyAuthenticator;
@@ -63,6 +66,7 @@ public final class CoreTestSupportUtils {
public static SshClient setupTestFullSupportClient(SshClient client) {
client.setKeyExchangeFactories(
NamedFactory.setUpTransformedFactories(false, BuiltinDHFactories.VALUES, ClientBuilder.DH2KEX));
+ setupFullSignaturesSupport(client);
return client;
}
@@ -85,6 +89,12 @@ public final class CoreTestSupportUtils {
public static SshServer setupTestFullSupportServer(SshServer sshd) {
sshd.setKeyExchangeFactories(
NamedFactory.setUpTransformedFactories(false, BuiltinDHFactories.VALUES, ServerBuilder.DH2KEX));
+ setupFullSignaturesSupport(sshd);
return sshd;
}
+
+ public static <M extends AbstractFactoryManager> M setupFullSignaturesSupport(M manager) {
+ manager.setSignatureFactories(new ArrayList<>(BuiltinSignatures.VALUES));
+ return manager;
+ }
}
diff --git a/sshd-core/src/test/resources/org/apache/sshd/common/auth/super-secret-passphrase-RSA-AES-128-key b/sshd-core/src/test/resources/org/apache/sshd/common/auth/super-secret-passphrase-RSA-AES-128-key
deleted file mode 100644
index 2b93a42..0000000
--- a/sshd-core/src/test/resources/org/apache/sshd/common/auth/super-secret-passphrase-RSA-AES-128-key
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,D41AC063160FCC09B1E1931FB43BCEAA
-
-V218dGT2pUpimnwEVn+2ljvK6mvm2aNLlaakMunlHfIswrakJ1WTs8a61pYILOn9
-MGHrCiqe6ZI7FBJ2wXpSxhcuM3fzk6/dW4Ghh4EHG1Y94w97EizxNfyz/iI2XQw0
-i6ttaDLVzP8UcSRElqG+Zpe1A7EE/DkdkXD3f/DaGHtu1zirVeaEIggMLjfTdwnR
-sH9VnUZhe74VdPV0x16h7JjLt5fcbIjqJ6NWW4QvQpPBv3k0oiUy/nP4FXg1b7VW
-7SowuCPi+mF821hj4xSO8ETlAU1eZdtgXqtejtKm0iDtsjnTBZPvDDrq5ephBlxO
-k7JBJG1LFUiDIGnpxos5nCsKEo8UAw9a5/D4xE3C6UTocXon28XGzVCbkZBN6jcd
-UbpjCVwKMJmFL97487u9S57xrGTmJdi1AtF9Rei8juTTQY4+r3l2c7JtdtcbLUhj
-iLvdYnbh6kUEyE19/+omJaWGQlFhYp7ZMRRQSiz6TD8lhSIBPpXzs+uMfhkrifVk
-3WpjRoikmPOOFLtecee5Rp+SpGd700XgLnxwZ47l0FNfrKKqd3+nZX4JILQ2M0JP
-sBx8gcIew8aUqMzWrwZxbrt9Pd1+2kSNVG9hpLoNoA4WpQnYQMo4L0eTCeMNUOap
-f9H0Hh3QnqXTPHbcYZJCGE2RUxLzn/d7rUxUdEzER+pkhJcw9JbV/izTrpDHs9bM
-cfBLggQvs+UIBww2OFz2BztwoQzsSEuNW/SxG/y6SfRUQq5TZw9NxYnrrqfBXKtx
-svB1JVbn2fKq2Lvi8AZ1fF3tyrNot/tptDf0yDHejWDUvVx5cXsKVK2BbVjbZ88k
-mBtUbw7ea9Ev7ZsihNB2EdhPjLhhKlKLIZznPKeXL3GDTXqCgCxTVh4wLvaR8rDU
-C3Isil4WprCeynmZpOe7bxAZDm2QCobnDB8sLQqBI4zgH8X/1iyXJVdSKfK9vxcB
-sJ5pYCcS2q0C+CJkn6HVTlMQ5CyyzvPaDJukJoxwxsZ5hgCsUHFzrvyGnXqGfTBD
-qEW+oA7cj48CfweV5pXHj+mZpCrpn1zRVJRz4h1FZRsttPGtBRAlns5I3kh5BPRs
-4m1BO1jiWyp/7HkUrDRhEf/QeJsP+mTH32pQgnngZ/AGA0PUcKanMUpe1d2ju83V
-EIcTz9ycTHPiOAM6GaVt54fKj9WRBU+7pf14ZdJmfhp6twc0jNtaTh+/I6Pfb0jN
-0d6yKV//pOeJJBNhuOJgm/0vfkOnOojIJchOQCRt5Lg/a4fD/JXtLOed2zOQa+0J
-3d8Y93mQX/iN1wi95/sG79YBYF3FkJYVhjosSKbiIaxIn76zIx4IAlziycDKvgpr
-JgZcVvCDc4flwrf3Cv/uHK7UWOE+16X1CfAy8JzFg5bhiMmhgsJyHmd+zDGrY6NX
-zz+wLmwOenEwC40gpt89OXbgMcwJMtfiSusatRtZ+AAs0jb/8jExVXfcYE3m3r1/
-FqLZ7seTQT2D01YoPlwUtSPxzaZbziAJ/NaGmURnBGVibDCJxwUAiOSIQH4prIfg
-Q2FCJeMTbLV43Lanlby5nrmLkzsw3uo1MO8Of1DbcnVUHNSwrp/nNzrYdxBLIvqS
------END RSA PRIVATE KEY-----
diff --git a/sshd-core/src/test/resources/org/apache/sshd/common/auth/super-secret-passphrase-RSA-AES-128-key.pub b/sshd-core/src/test/resources/org/apache/sshd/common/auth/super-secret-passphrase-RSA-AES-128-key.pub
deleted file mode 100644
index b1d66a6..0000000
--- a/sshd-core/src/test/resources/org/apache/sshd/common/auth/super-secret-passphrase-RSA-AES-128-key.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/oDbs/yYxBdT02ldP6JIrcETJQ+TCml1tHYuo8cIQp0DZCgRZiEZ4foucAT8R/vLK01nnjRzrI42MXiCzyAHb1sPRD0Fsbpa4TFJczPBBRM2mp56airnArQUMmg/ZKlOf82hn+u7Kgn+ljyjYG5FrdoUBju62i0H4+oBfX+pTkd5ruUgqLyPUC3qtNLwjS4PIPAda/pfpsi9UawQ4ommWCCLlwK55NiSrPDBwKNuVWROcQps2NZRxzRLQEiiCEVBEdiUqqUQ+dg2beLV/4cCS860ZZRvCfe+ko8TUBJ7SLtcrvOEYJOKIZDVhcnQKN/wyXCHExSYytUconlFn/9YX root@devenv-aas
\ No newline at end of file
diff --git a/sshd-core/src/test/resources/org/apache/sshd/common/auth/super-secret-passphrase-ec256-key b/sshd-core/src/test/resources/org/apache/sshd/common/auth/super-secret-passphrase-ec256-key
new file mode 100644
index 0000000..0e7e94a
--- /dev/null
+++ b/sshd-core/src/test/resources/org/apache/sshd/common/auth/super-secret-passphrase-ec256-key
@@ -0,0 +1,10 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABCBJIf6Vh
+Kbhk1+gmJsv6C6AAAAEAAAAAEAAABoAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlz
+dHAyNTYAAABBBL01p9qPAsYum1h7HXFpbvwIWyb7CbzbQK5qlo97xbPgYxguslezrgZZZg
+ITFVlzECSiXIpReOFQ0bZW78fo3D0AAADAgtIDr0uiaUbj81kc5vLKhTEKJ7x0uzbDQ0ga
+yKiwkK6gr1kes6k0HBtuBN2hh/Dr5qJ4Tnh3yMXsXiC+gjf+OOVGM7qK6XcxUFFG5LsfbN
+YlB3cOuhdCzgJJm6fyo77V3ZTyXcDIvChPrUWJ+R011SLND11JwCaIUia10QuWrWlHEBdU
+f0Zq5nrcbcCq0jEXtLDSrUDtok/aYeGXU+WLv64CxH2ytG6RRsGIkHcHwXEn5Yun6FwIyG
+ujI82JomIM
+-----END OPENSSH PRIVATE KEY-----
diff --git a/sshd-core/src/test/resources/org/apache/sshd/common/auth/super-secret-passphrase-ec256-key.pub b/sshd-core/src/test/resources/org/apache/sshd/common/auth/super-secret-passphrase-ec256-key.pub
new file mode 100644
index 0000000..7ea5d70
--- /dev/null
+++ b/sshd-core/src/test/resources/org/apache/sshd/common/auth/super-secret-passphrase-ec256-key.pub
@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL01p9qPAsYum1h7HXFpbvwIWyb7CbzbQK5qlo97xbPgYxguslezrgZZZgITFVlzECSiXIpReOFQ0bZW78fo3D0= lgoldstein@LYORPC-A8133U7
diff --git a/sshd-scp/src/test/java/org/apache/sshd/scp/client/ScpTest.java b/sshd-scp/src/test/java/org/apache/sshd/scp/client/ScpTest.java
index 2cc5972..5e0ec88 100644
--- a/sshd-scp/src/test/java/org/apache/sshd/scp/client/ScpTest.java
+++ b/sshd-scp/src/test/java/org/apache/sshd/scp/client/ScpTest.java
@@ -50,6 +50,7 @@ import org.apache.sshd.client.SshClient;
import org.apache.sshd.client.session.ClientSession;
import org.apache.sshd.common.Factory;
import org.apache.sshd.common.channel.Channel;
+import org.apache.sshd.common.config.keys.KeyUtils;
import org.apache.sshd.common.file.FileSystemFactory;
import org.apache.sshd.common.file.virtualfs.VirtualFileSystemFactory;
import org.apache.sshd.common.io.BuiltinIoServiceFactoryFactories;
@@ -70,6 +71,7 @@ import org.apache.sshd.scp.server.ScpCommandFactory;
import org.apache.sshd.server.SshServer;
import org.apache.sshd.server.channel.ChannelSession;
import org.apache.sshd.server.command.Command;
+import org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider;
import org.apache.sshd.util.test.BaseTestSupport;
import org.apache.sshd.util.test.CommonTestSupportUtils;
import org.apache.sshd.util.test.CoreTestSupportUtils;
@@ -148,14 +150,27 @@ public class ScpTest extends BaseTestSupport {
@BeforeClass
public static void setupClientAndServer() throws Exception {
JSchLogger.init();
- sshd = CoreTestSupportUtils.setupTestFullSupportServer(ScpTest.class);
+ setupClientAndServer(ScpTest.class);
+ }
+
+ protected static void setupClientAndServer(Class<?> anchor) throws Exception {
+ // Need to use RSA since Ganymede does not support EC
+ SimpleGeneratorHostKeyProvider provider = new SimpleGeneratorHostKeyProvider();
+ provider.setAlgorithm(KeyUtils.RSA_ALGORITHM);
+ provider.setKeySize(1024);
+
+ Path targetDir = CommonTestSupportUtils.detectTargetFolder(anchor);
+ provider.setPath(targetDir.resolve(anchor.getSimpleName() + "-key"));
+ sshd = CoreTestSupportUtils.setupTestFullSupportServer(anchor);
+ sshd.setKeyPairProvider(provider);
+
ScpCommandFactory factory = new ScpCommandFactory();
sshd.setCommandFactory(factory);
sshd.setShellFactory(factory);
sshd.start();
port = sshd.getPort();
- client = CoreTestSupportUtils.setupTestFullSupportClient(ScpTest.class);
+ client = CoreTestSupportUtils.setupTestFullSupportClient(anchor);
client.start();
}
[mina-sshd] 04/06: [SSHD-1004] Allow ssh-rsa signatures
Posted by lg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
lgoldstein pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mina-sshd.git
commit 14f72e63ece27ddc4f561dcdea5750bcf769092b
Author: Lyor Goldstein <lg...@apache.org>
AuthorDate: Sat Aug 1 09:52:34 2020 +0300
[SSHD-1004] Allow ssh-rsa signatures
---
README.md | 4 ++++
.../main/java/org/apache/sshd/common/BaseBuilder.java | 19 ++++++++++---------
.../java/org/apache/sshd/DefaultSetupTestSupport.java | 3 +--
3 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/README.md b/README.md
index 564d7a4..2c2ed98 100644
--- a/README.md
+++ b/README.md
@@ -92,6 +92,10 @@ the unsafe settings must do so **explicitly**. The following settings have been
This means that users that encounter this (and related) problems must modify the supported security settings
**explicitly** in order to avoid the issue.
+**Special notice:** `ssh-rsa` was left in as part of the default setup since there are still a lot of systems / users
+using it. However, in future version it will be removed from the default. We therefore strongly encourage users to migrate
+to other keys (e.g. ECDSA, ED25519) as soon as possible.
+
# [Release notes](./CHANGES.md)
# Core requirements
diff --git a/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java b/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java
index 9c6f71f..2e0eae1 100644
--- a/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java
+++ b/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java
@@ -117,20 +117,21 @@ public class BaseBuilder<T extends AbstractFactoryManager, S extends BaseBuilder
*/
public static final List<BuiltinSignatures> DEFAULT_SIGNATURE_PREFERENCE = Collections.unmodifiableList(
Arrays.asList(
+ BuiltinSignatures.rsaSHA512,
+ BuiltinSignatures.rsaSHA256,
+ BuiltinSignatures.nistp256,
+ BuiltinSignatures.nistp384,
+ BuiltinSignatures.nistp521,
+ BuiltinSignatures.ed25519,
+ BuiltinSignatures.rsa,
+ BuiltinSignatures.rsaSHA512_cert,
+ BuiltinSignatures.rsaSHA256_cert,
BuiltinSignatures.nistp256_cert,
BuiltinSignatures.nistp384_cert,
BuiltinSignatures.nistp521_cert,
BuiltinSignatures.ed25519_cert,
- BuiltinSignatures.rsaSHA512_cert,
- BuiltinSignatures.rsaSHA256_cert,
- BuiltinSignatures.nistp256,
- BuiltinSignatures.nistp384,
- BuiltinSignatures.nistp521,
BuiltinSignatures.sk_ecdsa_sha2_nistp256,
- BuiltinSignatures.ed25519,
- BuiltinSignatures.sk_ssh_ed25519,
- BuiltinSignatures.rsaSHA512,
- BuiltinSignatures.rsaSHA256));
+ BuiltinSignatures.sk_ssh_ed25519));
public static final UnknownChannelReferenceHandler DEFAULT_UNKNOWN_CHANNEL_REFERENCE_HANDLER
= DefaultUnknownChannelReferenceHandler.INSTANCE;
diff --git a/sshd-core/src/test/java/org/apache/sshd/DefaultSetupTestSupport.java b/sshd-core/src/test/java/org/apache/sshd/DefaultSetupTestSupport.java
index 351f3e9..451d620 100644
--- a/sshd-core/src/test/java/org/apache/sshd/DefaultSetupTestSupport.java
+++ b/sshd-core/src/test/java/org/apache/sshd/DefaultSetupTestSupport.java
@@ -95,8 +95,7 @@ public abstract class DefaultSetupTestSupport<M extends AbstractFactoryManager>
@Test // SSHD-1004
public void testNoDeprecatedSignatures() {
assertNoDeprecatedFactoryInstanceNames(Cipher.class.getSimpleName(),
- EnumSet.of(BuiltinSignatures.rsa, BuiltinSignatures.rsa_cert, BuiltinSignatures.dsa,
- BuiltinSignatures.dsa_cert),
+ EnumSet.of(BuiltinSignatures.dsa, BuiltinSignatures.rsa_cert, BuiltinSignatures.dsa_cert),
factory.getSignatureFactories());
}
[mina-sshd] 01/06: [SSHD-1004] Deprecate SHA-1 based key exchanges
from default setup
Posted by lg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
lgoldstein pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mina-sshd.git
commit 44e390316e97db16078c5ad25181dd8b2b908830
Author: Lyor Goldstein <lg...@apache.org>
AuthorDate: Fri Jul 31 19:11:05 2020 +0300
[SSHD-1004] Deprecate SHA-1 based key exchanges from default setup
---
CHANGES.md | 1 +
README.md | 1 +
.../sshd/client/config/hosts/HostConfigEntry.java | 3 +-
.../java/org/apache/sshd/common/BaseBuilder.java | 5 +--
.../org/apache/sshd/DefaultSetupTestSupport.java | 43 +++++++++++++++++++---
.../java/org/apache/sshd/KeyReExchangeTest.java | 2 +-
.../java/org/apache/sshd/client/kex/KexTest.java | 4 +-
.../org/apache/sshd/common/SshBuilderTest.java | 9 -----
.../org/apache/sshd/common/cipher/CipherTest.java | 2 +-
.../sshd/common/compression/CompressionTest.java | 2 +-
.../common/forward/ApacheServerJSchClientTest.java | 3 +-
.../common/forward/PortForwardingLoadTest.java | 2 +-
.../sshd/common/forward/PortForwardingTest.java | 2 +-
.../sshd/common/mac/MacCompatibilityTest.java | 2 +-
.../sshd/server/auth/AsyncAuthInteractiveTest.java | 7 ++++
.../org/apache/sshd/server/auth/AsyncAuthTest.java | 7 ++++
.../apache/sshd/server/auth/AsyncAuthTestBase.java | 5 ++-
.../org/apache/sshd/spring/SpringConfigTest.java | 3 +-
.../org/apache/sshd/util/test/BaseTestSupport.java | 8 ++++
.../sshd/util/test/CoreTestSupportUtils.java | 27 ++++++++++++++
.../java/org/apache/sshd/scp/client/ScpTest.java | 4 +-
.../sftp/client/AbstractSftpClientTestSupport.java | 2 +-
.../ApacheSshdSftpSessionFactoryTest.java | 4 +-
23 files changed, 111 insertions(+), 37 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index c2a876d..18b1509 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -14,6 +14,7 @@
* [SSHD-506](https://issues.apache.org/jira/browse/SSHD-506) Added support for AES-GCM ciphers.
* [SSHD-1004](https://issues.apache.org/jira/browse/SSHD-1004) Deprecate DES, RC4 and Blowfish ciphers from default setup.
+* [SSHD-1004](https://issues.apache.org/jira/browse/SSHD-1004) Deprecate SHA-1 based key exchanges and signatures.
* [SSHD-1034](https://issues.apache.org/jira/browse/SSHD-1034) Rename `org.apache.sshd.common.ForwardingFilter` to `Forwarder`.
* [SSHD-1035](https://issues.apache.org/jira/browse/SSHD-1035) Move property definitions to common locations.
* [SSHD-1038](https://issues.apache.org/jira/browse/SSHD-1038) Refactor packages from a module into a cleaner hierarchy.
diff --git a/README.md b/README.md
index e43adce..2369fb7 100644
--- a/README.md
+++ b/README.md
@@ -76,6 +76,7 @@ the unsafe settings must do so **explicitly**. The following settings have been
* [RFC 8429 - Deprecate Triple-DES (3DES) and RC4 in Kerberos](https://tools.ietf.org/html/rfc8429)
* While it refers to Kerberos, it mentions weaknesses in DES as well.
* [OpenSSH release notes](https://www.openssh.com/releasenotes.html) - usually a good indicator of de-facto practices
+* SHA-1 based key exchanges and signatures
# [Release notes](./CHANGES.md)
diff --git a/sshd-common/src/main/java/org/apache/sshd/client/config/hosts/HostConfigEntry.java b/sshd-common/src/main/java/org/apache/sshd/client/config/hosts/HostConfigEntry.java
index 26f839b..3ae8828 100644
--- a/sshd-common/src/main/java/org/apache/sshd/client/config/hosts/HostConfigEntry.java
+++ b/sshd-common/src/main/java/org/apache/sshd/client/config/hosts/HostConfigEntry.java
@@ -62,7 +62,7 @@ import org.apache.sshd.common.util.io.NoCloseReader;
/**
* Represents an entry in the client's configuration file as defined by the
* <A HREF="https://linux.die.net/man/5/ssh_config">ssh_config</A> configuration file format
- *
+ *
* @author <a href="mailto:dev@mina.apache.org">Apache MINA SSHD Project</a>
* @see <A HREF="https://www.cyberciti.biz/faq/create-ssh-config-file-on-linux-unix/">OpenSSH Config File
* Examples</A>
@@ -717,6 +717,7 @@ public class HostConfigEntry extends HostPatternsHolder implements MutableUserHo
* @param host The original host name / address
* @param port The original port
* @param username The original user name
+ * @param proxyJump And optional proxy jump setting
* @return A <U>cloned</U> entry whose values are resolved - including expanding macros in the
* identities files
* @throws IOException If failed to normalize the entry
diff --git a/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java b/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java
index 821765a..80b8a1b 100644
--- a/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java
+++ b/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java
@@ -89,15 +89,12 @@ public class BaseBuilder<T extends AbstractFactoryManager, S extends BaseBuilder
BuiltinDHFactories.ecdhp256,
BuiltinDHFactories.dhgex256,
- BuiltinDHFactories.dhgex,
BuiltinDHFactories.dhg18_512,
BuiltinDHFactories.dhg17_512,
BuiltinDHFactories.dhg16_512,
BuiltinDHFactories.dhg15_512,
- BuiltinDHFactories.dhg14_256,
- BuiltinDHFactories.dhg14,
- BuiltinDHFactories.dhg1));
+ BuiltinDHFactories.dhg14_256));
/**
* The default {@link BuiltinMacs} setup in order of preference as specified by
diff --git a/sshd-core/src/test/java/org/apache/sshd/DefaultSetupTestSupport.java b/sshd-core/src/test/java/org/apache/sshd/DefaultSetupTestSupport.java
index bc5ef94..fa3b891 100644
--- a/sshd-core/src/test/java/org/apache/sshd/DefaultSetupTestSupport.java
+++ b/sshd-core/src/test/java/org/apache/sshd/DefaultSetupTestSupport.java
@@ -31,6 +31,8 @@ import org.apache.sshd.common.NamedResource;
import org.apache.sshd.common.cipher.BuiltinCiphers;
import org.apache.sshd.common.cipher.Cipher;
import org.apache.sshd.common.helpers.AbstractFactoryManager;
+import org.apache.sshd.common.kex.BuiltinDHFactories;
+import org.apache.sshd.common.kex.KeyExchange;
import org.apache.sshd.common.util.GenericUtils;
import org.apache.sshd.util.test.BaseTestSupport;
import org.apache.sshd.util.test.NoIoTestCase;
@@ -53,30 +55,59 @@ public abstract class DefaultSetupTestSupport<M extends AbstractFactoryManager>
@Test
public void testDefaultCiphersList() {
- assertNamedFactoriesList(Cipher.class.getSimpleName(), BaseBuilder.DEFAULT_CIPHERS_PREFERENCE,
+ assertSameNamedFactoriesListInstances(Cipher.class.getSimpleName(), BaseBuilder.DEFAULT_CIPHERS_PREFERENCE,
factory.getCipherFactories());
}
@Test // SSHD-1004
public void testNoDeprecatedCiphers() {
- assertNoDeprecatedSettings(Cipher.class.getSimpleName(),
+ assertNoDeprecatedFactoryInstanceNames(Cipher.class.getSimpleName(),
EnumSet.of(BuiltinCiphers.arcfour128, BuiltinCiphers.arcfour256, BuiltinCiphers.tripledescbc,
BuiltinCiphers.blowfishcbc),
factory.getCipherFactories());
}
- protected static <T, F extends NamedFactory<T>> void assertNoDeprecatedSettings(
- String hint, Collection<? extends F> unexpected, Collection<? extends F> actual) {
+ @Test
+ public void testDefaultKeyExchangeList() {
+ assertSameNamedResourceListNames(KeyExchange.class.getSimpleName(),
+ BaseBuilder.DEFAULT_KEX_PREFERENCE, factory.getKeyExchangeFactories());
+ }
+
+ @Test // SSHD-1004
+ public void testNoDeprecatedKeyExchanges() {
+ Collection<? extends NamedResource> disallowed = BuiltinDHFactories.VALUES.stream()
+ .filter(f -> f.getName().endsWith("sha-1"))
+ .collect(Collectors.toCollection(() -> EnumSet.noneOf(BuiltinDHFactories.class)));
+ assertNoDeprecatedFactoryInstanceNames(
+ KeyExchange.class.getSimpleName(), disallowed, factory.getKeyExchangeFactories());
+ }
+
+ protected static void assertSameNamedResourceListNames(
+ String hint, List<? extends NamedResource> expected, List<? extends NamedResource> actual) {
+ int len = GenericUtils.size(expected);
+ assertEquals(hint + "[size]", len, GenericUtils.size(actual));
+
+ for (int index = 0; index < len; index++) {
+ NamedResource expRes = expected.get(index);
+ String expName = expRes.getName();
+ NamedResource actRes = actual.get(index);
+ String actName = actRes.getName();
+ assertSame(hint + "[" + index + "]", expName, actName);
+ }
+ }
+
+ protected static void assertNoDeprecatedFactoryInstanceNames(
+ String hint, Collection<? extends NamedResource> unexpected, Collection<? extends NamedResource> actual) {
Collection<String> disallowedNames = unexpected.stream()
.map(NamedResource::getName)
.collect(Collectors.toCollection(() -> new TreeSet<>(String.CASE_INSENSITIVE_ORDER)));
- for (F namedFactory : actual) {
+ for (NamedResource namedFactory : actual) {
String name = namedFactory.getName();
assertFalse(hint + " - disallowed: " + name, disallowedNames.contains(name));
}
}
- protected static <T, F extends NamedFactory<T>> void assertNamedFactoriesList(
+ protected static <T, F extends NamedFactory<T>> void assertSameNamedFactoriesListInstances(
String hint, List<? extends F> expected, List<? extends F> actual) {
int len = GenericUtils.size(expected);
assertEquals(hint + "[size]", len, GenericUtils.size(actual));
diff --git a/sshd-core/src/test/java/org/apache/sshd/KeyReExchangeTest.java b/sshd-core/src/test/java/org/apache/sshd/KeyReExchangeTest.java
index c067e99..18bef92 100644
--- a/sshd-core/src/test/java/org/apache/sshd/KeyReExchangeTest.java
+++ b/sshd-core/src/test/java/org/apache/sshd/KeyReExchangeTest.java
@@ -101,7 +101,7 @@ public class KeyReExchangeTest extends BaseTestSupport {
}
protected void setUp(long bytesLimit, Duration timeLimit, long packetsLimit) throws Exception {
- sshd = setupTestServer();
+ sshd = setupTestFullSupportServer();
sshd.setSubsystemFactories(Collections.singletonList(new TestSubsystemFactory()));
if (bytesLimit > 0L) {
CoreModuleProperties.REKEY_BYTES_LIMIT.set(sshd, bytesLimit);
diff --git a/sshd-core/src/test/java/org/apache/sshd/client/kex/KexTest.java b/sshd-core/src/test/java/org/apache/sshd/client/kex/KexTest.java
index 75f2151..9cf4ad0 100644
--- a/sshd-core/src/test/java/org/apache/sshd/client/kex/KexTest.java
+++ b/sshd-core/src/test/java/org/apache/sshd/client/kex/KexTest.java
@@ -81,11 +81,11 @@ public class KexTest extends BaseTestSupport {
@BeforeClass
public static void setupClientAndServer() throws Exception {
- sshd = CoreTestSupportUtils.setupTestServer(KexTest.class);
+ sshd = CoreTestSupportUtils.setupTestFullSupportServer(KexTest.class);
sshd.start();
port = sshd.getPort();
- client = CoreTestSupportUtils.setupTestClient(KexTest.class);
+ client = CoreTestSupportUtils.setupTestFullSupportClient(KexTest.class);
client.start();
}
diff --git a/sshd-core/src/test/java/org/apache/sshd/common/SshBuilderTest.java b/sshd-core/src/test/java/org/apache/sshd/common/SshBuilderTest.java
index 8f23ba0..4de6a13 100644
--- a/sshd-core/src/test/java/org/apache/sshd/common/SshBuilderTest.java
+++ b/sshd-core/src/test/java/org/apache/sshd/common/SshBuilderTest.java
@@ -25,7 +25,6 @@ import java.util.Set;
import org.apache.sshd.common.cipher.BuiltinCiphers;
import org.apache.sshd.common.cipher.Cipher;
-import org.apache.sshd.common.kex.BuiltinDHFactories;
import org.apache.sshd.common.mac.BuiltinMacs;
import org.apache.sshd.common.signature.BuiltinSignatures;
import org.apache.sshd.common.util.GenericUtils;
@@ -64,14 +63,6 @@ public class SshBuilderTest extends BaseTestSupport {
testAllInstancesListed(BuiltinSignatures.VALUES, ServerBuilder.DEFAULT_SIGNATURE_PREFERENCE);
}
- /**
- * Make sure that all values in {@link BuiltinDHFactories} are listed in {@link BaseBuilder#DEFAULT_KEX_PREFERENCE}
- */
- @Test
- public void testAllBuiltinDHFactoriesListed() {
- testAllInstancesListed(BuiltinDHFactories.VALUES, BaseBuilder.DEFAULT_KEX_PREFERENCE);
- }
-
private static <
E extends Enum<E>> void testAllInstancesListed(Set<? extends E> expValues, Collection<? extends E> actValues) {
assertEquals("Mismatched actual values size", expValues.size(), actValues.size());
diff --git a/sshd-core/src/test/java/org/apache/sshd/common/cipher/CipherTest.java b/sshd-core/src/test/java/org/apache/sshd/common/cipher/CipherTest.java
index 0cfd960..04a3d4c 100644
--- a/sshd-core/src/test/java/org/apache/sshd/common/cipher/CipherTest.java
+++ b/sshd-core/src/test/java/org/apache/sshd/common/cipher/CipherTest.java
@@ -110,7 +110,7 @@ public class CipherTest extends BaseTestSupport {
@BeforeClass
public static void setupClientAndServer() throws Exception {
JSchLogger.init();
- sshd = CoreTestSupportUtils.setupTestServer(CipherTest.class);
+ sshd = CoreTestSupportUtils.setupTestFullSupportServer(CipherTest.class);
sshd.start();
port = sshd.getPort();
}
diff --git a/sshd-core/src/test/java/org/apache/sshd/common/compression/CompressionTest.java b/sshd-core/src/test/java/org/apache/sshd/common/compression/CompressionTest.java
index e6934ab..49c15d3 100644
--- a/sshd-core/src/test/java/org/apache/sshd/common/compression/CompressionTest.java
+++ b/sshd-core/src/test/java/org/apache/sshd/common/compression/CompressionTest.java
@@ -96,7 +96,7 @@ public class CompressionTest extends BaseTestSupport {
public static void setupClientAndServer() throws Exception {
JSchLogger.init();
- sshd = CoreTestSupportUtils.setupTestServer(MacCompatibilityTest.class);
+ sshd = CoreTestSupportUtils.setupTestFullSupportServer(MacCompatibilityTest.class);
sshd.setKeyPairProvider(CommonTestSupportUtils.createTestHostKeyProvider(MacCompatibilityTest.class));
sshd.start();
port = sshd.getPort();
diff --git a/sshd-core/src/test/java/org/apache/sshd/common/forward/ApacheServerJSchClientTest.java b/sshd-core/src/test/java/org/apache/sshd/common/forward/ApacheServerJSchClientTest.java
index 1afc721..9d24acc 100644
--- a/sshd-core/src/test/java/org/apache/sshd/common/forward/ApacheServerJSchClientTest.java
+++ b/sshd-core/src/test/java/org/apache/sshd/common/forward/ApacheServerJSchClientTest.java
@@ -27,6 +27,7 @@ import com.jcraft.jsch.Session;
import org.apache.sshd.server.SshServer;
import org.apache.sshd.server.forward.AcceptAllForwardingFilter;
import org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider;
+import org.apache.sshd.util.test.CoreTestSupportUtils;
import org.apache.sshd.util.test.JSchLogger;
import org.apache.sshd.util.test.SimpleUserInfo;
import org.junit.After;
@@ -67,7 +68,7 @@ public class ApacheServerJSchClientTest extends AbstractServerCloseTestSupport {
@BeforeClass
public static void startSshServer() throws IOException {
LOG.info("Starting SSHD...");
- server = SshServer.setUpDefaultServer();
+ server = CoreTestSupportUtils.setupTestFullSupportServer(SshServer.setUpDefaultServer());
server.setPasswordAuthenticator((u, p, s) -> true);
server.setForwardingFilter(AcceptAllForwardingFilter.INSTANCE);
server.setKeyPairProvider(new SimpleGeneratorHostKeyProvider());
diff --git a/sshd-core/src/test/java/org/apache/sshd/common/forward/PortForwardingLoadTest.java b/sshd-core/src/test/java/org/apache/sshd/common/forward/PortForwardingLoadTest.java
index 67b1529..8b1e535 100644
--- a/sshd-core/src/test/java/org/apache/sshd/common/forward/PortForwardingLoadTest.java
+++ b/sshd-core/src/test/java/org/apache/sshd/common/forward/PortForwardingLoadTest.java
@@ -156,7 +156,7 @@ public class PortForwardingLoadTest extends BaseTestSupport {
@Before
public void setUp() throws Exception {
- sshd = setupTestServer();
+ sshd = setupTestFullSupportServer();
sshd.setForwardingFilter(AcceptAllForwardingFilter.INSTANCE);
sshd.addPortForwardingEventListener(serverSideListener);
sshd.start();
diff --git a/sshd-core/src/test/java/org/apache/sshd/common/forward/PortForwardingTest.java b/sshd-core/src/test/java/org/apache/sshd/common/forward/PortForwardingTest.java
index 864ccf1..1210e59 100644
--- a/sshd-core/src/test/java/org/apache/sshd/common/forward/PortForwardingTest.java
+++ b/sshd-core/src/test/java/org/apache/sshd/common/forward/PortForwardingTest.java
@@ -166,7 +166,7 @@ public class PortForwardingTest extends BaseTestSupport {
@BeforeClass
public static void setUpTestEnvironment() throws Exception {
JSchLogger.init();
- sshd = CoreTestSupportUtils.setupTestServer(PortForwardingTest.class);
+ sshd = CoreTestSupportUtils.setupTestFullSupportServer(PortForwardingTest.class);
CoreModuleProperties.WINDOW_SIZE.set(sshd, 2048L);
CoreModuleProperties.MAX_PACKET_SIZE.set(sshd, 256L);
sshd.setForwardingFilter(AcceptAllForwardingFilter.INSTANCE);
diff --git a/sshd-core/src/test/java/org/apache/sshd/common/mac/MacCompatibilityTest.java b/sshd-core/src/test/java/org/apache/sshd/common/mac/MacCompatibilityTest.java
index a327897..31d6b42 100644
--- a/sshd-core/src/test/java/org/apache/sshd/common/mac/MacCompatibilityTest.java
+++ b/sshd-core/src/test/java/org/apache/sshd/common/mac/MacCompatibilityTest.java
@@ -119,7 +119,7 @@ public class MacCompatibilityTest extends BaseTestSupport {
public static void setupClientAndServer() throws Exception {
JSchLogger.init();
- sshd = CoreTestSupportUtils.setupTestServer(MacCompatibilityTest.class);
+ sshd = CoreTestSupportUtils.setupTestFullSupportServer(MacCompatibilityTest.class);
sshd.setKeyPairProvider(CommonTestSupportUtils.createTestHostKeyProvider(MacCompatibilityTest.class));
sshd.start();
port = sshd.getPort();
diff --git a/sshd-core/src/test/java/org/apache/sshd/server/auth/AsyncAuthInteractiveTest.java b/sshd-core/src/test/java/org/apache/sshd/server/auth/AsyncAuthInteractiveTest.java
index 86e32a8..241d0fb 100644
--- a/sshd-core/src/test/java/org/apache/sshd/server/auth/AsyncAuthInteractiveTest.java
+++ b/sshd-core/src/test/java/org/apache/sshd/server/auth/AsyncAuthInteractiveTest.java
@@ -24,6 +24,8 @@ import com.jcraft.jsch.JSchException;
import com.jcraft.jsch.Session;
import com.jcraft.jsch.UserInfo;
import org.apache.sshd.common.channel.Channel;
+import org.apache.sshd.util.test.JSchLogger;
+import org.junit.BeforeClass;
import org.junit.FixMethodOrder;
import org.junit.runners.MethodSorters;
@@ -36,6 +38,11 @@ public class AsyncAuthInteractiveTest extends AsyncAuthTestBase {
super();
}
+ @BeforeClass
+ public static void jschInit() {
+ JSchLogger.init();
+ }
+
@Override
protected boolean authenticate() throws Exception {
JSch jsch = new JSch();
diff --git a/sshd-core/src/test/java/org/apache/sshd/server/auth/AsyncAuthTest.java b/sshd-core/src/test/java/org/apache/sshd/server/auth/AsyncAuthTest.java
index a8963d2..ac748a7 100644
--- a/sshd-core/src/test/java/org/apache/sshd/server/auth/AsyncAuthTest.java
+++ b/sshd-core/src/test/java/org/apache/sshd/server/auth/AsyncAuthTest.java
@@ -26,6 +26,8 @@ import com.jcraft.jsch.JSchException;
import com.jcraft.jsch.Session;
import com.jcraft.jsch.UserInfo;
import org.apache.sshd.common.channel.Channel;
+import org.apache.sshd.util.test.JSchLogger;
+import org.junit.BeforeClass;
import org.junit.FixMethodOrder;
import org.junit.runners.MethodSorters;
@@ -38,6 +40,11 @@ public class AsyncAuthTest extends AsyncAuthTestBase {
super();
}
+ @BeforeClass
+ public static void jschInit() {
+ JSchLogger.init();
+ }
+
@Override
protected boolean authenticate() throws Exception {
JSch jsch = new JSch();
diff --git a/sshd-core/src/test/java/org/apache/sshd/server/auth/AsyncAuthTestBase.java b/sshd-core/src/test/java/org/apache/sshd/server/auth/AsyncAuthTestBase.java
index fdc0f66..46286ec 100644
--- a/sshd-core/src/test/java/org/apache/sshd/server/auth/AsyncAuthTestBase.java
+++ b/sshd-core/src/test/java/org/apache/sshd/server/auth/AsyncAuthTestBase.java
@@ -28,6 +28,7 @@ import org.apache.sshd.server.SshServer;
import org.apache.sshd.server.auth.password.PasswordAuthenticator;
import org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider;
import org.apache.sshd.util.test.BaseTestSupport;
+import org.apache.sshd.util.test.CoreTestSupportUtils;
import org.apache.sshd.util.test.EchoShellFactory;
import org.junit.After;
import org.junit.Test;
@@ -41,7 +42,7 @@ public abstract class AsyncAuthTestBase extends BaseTestSupport {
private PasswordAuthenticator authenticator;
- public AsyncAuthTestBase() {
+ protected AsyncAuthTestBase() {
super();
}
@@ -53,7 +54,7 @@ public abstract class AsyncAuthTestBase extends BaseTestSupport {
if (server != null) {
fail("Server already started");
}
- server = SshServer.setUpDefaultServer();
+ server = CoreTestSupportUtils.setupTestFullSupportServer(SshServer.setUpDefaultServer());
if (timeout != null) {
CoreModuleProperties.AUTH_TIMEOUT.set(server, timeout);
}
diff --git a/sshd-core/src/test/java/org/apache/sshd/spring/SpringConfigTest.java b/sshd-core/src/test/java/org/apache/sshd/spring/SpringConfigTest.java
index 688e980..31b9080 100644
--- a/sshd-core/src/test/java/org/apache/sshd/spring/SpringConfigTest.java
+++ b/sshd-core/src/test/java/org/apache/sshd/spring/SpringConfigTest.java
@@ -27,6 +27,7 @@ import com.jcraft.jsch.JSch;
import org.apache.sshd.common.util.OsUtils;
import org.apache.sshd.server.SshServer;
import org.apache.sshd.util.test.BaseTestSupport;
+import org.apache.sshd.util.test.CoreTestSupportUtils;
import org.apache.sshd.util.test.JSchLogger;
import org.apache.sshd.util.test.SimpleUserInfo;
import org.junit.After;
@@ -73,7 +74,7 @@ public class SpringConfigTest extends BaseTestSupport {
@Test
public void testSpringConfig() throws Exception {
- SshServer server = context.getBean(SshServer.class);
+ SshServer server = CoreTestSupportUtils.setupTestFullSupportServer(context.getBean(SshServer.class));
int port = server.getPort();
JSch sch = new JSch();
diff --git a/sshd-core/src/test/java/org/apache/sshd/util/test/BaseTestSupport.java b/sshd-core/src/test/java/org/apache/sshd/util/test/BaseTestSupport.java
index 1c1c9ad..69b2614 100644
--- a/sshd-core/src/test/java/org/apache/sshd/util/test/BaseTestSupport.java
+++ b/sshd-core/src/test/java/org/apache/sshd/util/test/BaseTestSupport.java
@@ -125,10 +125,18 @@ public abstract class BaseTestSupport extends JUnitTestSupport {
return CoreTestSupportUtils.setupTestServer(getClass());
}
+ protected SshServer setupTestFullSupportServer() {
+ return CoreTestSupportUtils.setupTestFullSupportServer(setupTestServer());
+ }
+
protected SshClient setupTestClient() {
return CoreTestSupportUtils.setupTestClient(getClass());
}
+ protected SshClient setupTestFullSupportClient() {
+ return CoreTestSupportUtils.setupTestFullSupportClient(setupTestClient());
+ }
+
protected void assumeNotIoServiceProvider(
Collection<BuiltinIoServiceFactoryFactories> excluded) {
assumeNotIoServiceProvider(getCurrentTestName(), excluded);
diff --git a/sshd-core/src/test/java/org/apache/sshd/util/test/CoreTestSupportUtils.java b/sshd-core/src/test/java/org/apache/sshd/util/test/CoreTestSupportUtils.java
index 7d2b9b9..1621405 100644
--- a/sshd-core/src/test/java/org/apache/sshd/util/test/CoreTestSupportUtils.java
+++ b/sshd-core/src/test/java/org/apache/sshd/util/test/CoreTestSupportUtils.java
@@ -22,10 +22,14 @@ import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.ServerSocket;
+import org.apache.sshd.client.ClientBuilder;
import org.apache.sshd.client.SshClient;
import org.apache.sshd.client.config.hosts.HostConfigEntryResolver;
import org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier;
+import org.apache.sshd.common.NamedFactory;
+import org.apache.sshd.common.kex.BuiltinDHFactories;
import org.apache.sshd.common.keyprovider.KeyIdentityProvider;
+import org.apache.sshd.server.ServerBuilder;
import org.apache.sshd.server.SshServer;
import org.apache.sshd.server.auth.pubkey.AcceptAllPublickeyAuthenticator;
import org.apache.sshd.server.shell.UnknownCommandFactory;
@@ -51,6 +55,17 @@ public final class CoreTestSupportUtils {
return client;
}
+ public static SshClient setupTestFullSupportClient(Class<?> anchor) {
+ SshClient client = setupTestClient(anchor);
+ return setupTestFullSupportClient(client);
+ }
+
+ public static SshClient setupTestFullSupportClient(SshClient client) {
+ client.setKeyExchangeFactories(
+ NamedFactory.setUpTransformedFactories(false, BuiltinDHFactories.VALUES, ClientBuilder.DH2KEX));
+ return client;
+ }
+
public static SshServer setupTestServer(Class<?> anchor) {
SshServer sshd = SshServer.setUpDefaultServer();
sshd.setKeyPairProvider(CommonTestSupportUtils.createTestHostKeyProvider(anchor));
@@ -60,4 +75,16 @@ public final class CoreTestSupportUtils {
sshd.setCommandFactory(UnknownCommandFactory.INSTANCE);
return sshd;
}
+
+ // Adds deprecated / insecure settings
+ public static SshServer setupTestFullSupportServer(Class<?> anchor) {
+ SshServer sshd = setupTestServer(anchor);
+ return setupTestFullSupportServer(sshd);
+ }
+
+ public static SshServer setupTestFullSupportServer(SshServer sshd) {
+ sshd.setKeyExchangeFactories(
+ NamedFactory.setUpTransformedFactories(false, BuiltinDHFactories.VALUES, ServerBuilder.DH2KEX));
+ return sshd;
+ }
}
diff --git a/sshd-scp/src/test/java/org/apache/sshd/scp/client/ScpTest.java b/sshd-scp/src/test/java/org/apache/sshd/scp/client/ScpTest.java
index f740459..2cc5972 100644
--- a/sshd-scp/src/test/java/org/apache/sshd/scp/client/ScpTest.java
+++ b/sshd-scp/src/test/java/org/apache/sshd/scp/client/ScpTest.java
@@ -148,14 +148,14 @@ public class ScpTest extends BaseTestSupport {
@BeforeClass
public static void setupClientAndServer() throws Exception {
JSchLogger.init();
- sshd = CoreTestSupportUtils.setupTestServer(ScpTest.class);
+ sshd = CoreTestSupportUtils.setupTestFullSupportServer(ScpTest.class);
ScpCommandFactory factory = new ScpCommandFactory();
sshd.setCommandFactory(factory);
sshd.setShellFactory(factory);
sshd.start();
port = sshd.getPort();
- client = CoreTestSupportUtils.setupTestClient(ScpTest.class);
+ client = CoreTestSupportUtils.setupTestFullSupportClient(ScpTest.class);
client.start();
}
diff --git a/sshd-sftp/src/test/java/org/apache/sshd/sftp/client/AbstractSftpClientTestSupport.java b/sshd-sftp/src/test/java/org/apache/sshd/sftp/client/AbstractSftpClientTestSupport.java
index b625409..efaf753 100644
--- a/sshd-sftp/src/test/java/org/apache/sshd/sftp/client/AbstractSftpClientTestSupport.java
+++ b/sshd-sftp/src/test/java/org/apache/sshd/sftp/client/AbstractSftpClientTestSupport.java
@@ -55,7 +55,7 @@ public abstract class AbstractSftpClientTestSupport extends BaseTestSupport {
@BeforeClass
public static void setupClientAndServer() throws Exception {
JSchLogger.init();
- sshd = CoreTestSupportUtils.setupTestServer(AbstractSftpClientTestSupport.class);
+ sshd = CoreTestSupportUtils.setupTestFullSupportServer(AbstractSftpClientTestSupport.class);
sshd.setSubsystemFactories(Collections.singletonList(new SftpSubsystemFactory()));
sshd.start();
port = sshd.getPort();
diff --git a/sshd-spring-sftp/src/test/java/org/apache/sshd/sftp/spring/integration/ApacheSshdSftpSessionFactoryTest.java b/sshd-spring-sftp/src/test/java/org/apache/sshd/sftp/spring/integration/ApacheSshdSftpSessionFactoryTest.java
index 774ee03..e4bf4c5 100644
--- a/sshd-spring-sftp/src/test/java/org/apache/sshd/sftp/spring/integration/ApacheSshdSftpSessionFactoryTest.java
+++ b/sshd-spring-sftp/src/test/java/org/apache/sshd/sftp/spring/integration/ApacheSshdSftpSessionFactoryTest.java
@@ -110,12 +110,12 @@ public class ApacheSshdSftpSessionFactoryTest extends BaseTestSupport {
@BeforeClass
public static void setupClientAndServer() throws Exception {
JSchLogger.init();
- sshd = CoreTestSupportUtils.setupTestServer(ApacheSshdSftpSessionFactoryTest.class);
+ sshd = CoreTestSupportUtils.setupTestFullSupportServer(ApacheSshdSftpSessionFactoryTest.class);
sshd.setSubsystemFactories(Collections.singletonList(new SftpSubsystemFactory()));
sshd.start();
port = sshd.getPort();
- client = CoreTestSupportUtils.setupTestClient(ApacheSshdSftpSessionFactoryTest.class);
+ client = CoreTestSupportUtils.setupTestFullSupportClient(ApacheSshdSftpSessionFactoryTest.class);
client.start();
}
[mina-sshd] 06/06: Added server subsystem CLI option value parsing
to allow specifying internal SFTP subsystem
Posted by lg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
lgoldstein pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mina-sshd.git
commit 63619933b01445a4fe5b35ffafb6c04107ec6834
Author: Lyor Goldstein <lg...@apache.org>
AuthorDate: Sat Aug 1 11:05:35 2020 +0300
Added server subsystem CLI option value parsing to allow specifying internal SFTP subsystem
---
.../java/org/apache/sshd/cli/server/SshServerCliSupport.java | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/sshd-cli/src/main/java/org/apache/sshd/cli/server/SshServerCliSupport.java b/sshd-cli/src/main/java/org/apache/sshd/cli/server/SshServerCliSupport.java
index 677854f..c173cb7 100644
--- a/sshd-cli/src/main/java/org/apache/sshd/cli/server/SshServerCliSupport.java
+++ b/sshd-cli/src/main/java/org/apache/sshd/cli/server/SshServerCliSupport.java
@@ -63,6 +63,7 @@ import org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider;
import org.apache.sshd.server.shell.InteractiveProcessShellFactory;
import org.apache.sshd.server.shell.ShellFactory;
import org.apache.sshd.server.subsystem.SubsystemFactory;
+import org.apache.sshd.sftp.common.SftpConstants;
import org.apache.sshd.sftp.server.SftpEventListener;
import org.apache.sshd.sftp.server.SftpSubsystemFactory;
@@ -196,6 +197,13 @@ public abstract class SshServerCliSupport extends CliSupport {
return Collections.emptyList();
}
+ if (SftpConstants.SFTP_SUBSYSTEM_NAME.equalsIgnoreCase(nameList)) {
+ SubsystemFactory factory = registerSubsystemFactoryListeners(
+ server, level, stdout, stderr, options, new SftpSubsystemFactory());
+ stdout.println("Using built-in SFTP subsystem");
+ return Collections.singletonList(factory);
+ }
+
boolean havePreferences = GenericUtils.isNotEmpty(nameList);
Collection<String> preferredNames = (!havePreferences)
? Collections.emptySet()
@@ -245,7 +253,7 @@ public abstract class SshServerCliSupport extends CliSupport {
* <LI>Otherwise, assumes this is a fully qualified class path of a {@link ShellFactory} implementation and attempts
* to load and instantiate it using a public no-args constructor</LI>
* </UL>
- *
+ *
* @param stderr The STDERR stream for errors
* @param options The available options - assuming defaults if {@code null}
* @return The resolved {@link ShellFactory}
[mina-sshd] 05/06: [SSHD-1004] Generate an ECDSA host key by
default in SshServerMain
Posted by lg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
lgoldstein pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mina-sshd.git
commit adf96e7b3321fd525922c0fec2acd411d584521a
Author: Lyor Goldstein <lg...@apache.org>
AuthorDate: Sat Aug 1 11:04:34 2020 +0300
[SSHD-1004] Generate an ECDSA host key by default in SshServerMain
---
CHANGES.md | 2 ++
sshd-cli/src/main/resources/.gitignore | 0
sshd-cli/src/test/resources/log4j.properties | 38 ++++++++++++++++++++++
.../AbstractGeneratorHostKeyProvider.java | 2 +-
.../AbstractGeneratorHostKeyProviderTest.java | 1 -
5 files changed, 41 insertions(+), 2 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index 96e094f..089fa2b 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -12,6 +12,8 @@
## Major code re-factoring
+* `SshServerMain` uses by default an ECDSA key instead of an RSA one. This can be overridden either by `-key-type / -key-size`
+or `-key-file` command line option.
* [SSHD-1034](https://issues.apache.org/jira/browse/SSHD-1034) Rename `org.apache.sshd.common.ForwardingFilter` to `Forwarder`.
* [SSHD-1035](https://issues.apache.org/jira/browse/SSHD-1035) Move property definitions to common locations.
* [SSHD-1038](https://issues.apache.org/jira/browse/SSHD-1038) Refactor packages from a module into a cleaner hierarchy.
diff --git a/sshd-cli/src/main/resources/.gitignore b/sshd-cli/src/main/resources/.gitignore
new file mode 100644
index 0000000..e69de29
diff --git a/sshd-cli/src/test/resources/log4j.properties b/sshd-cli/src/test/resources/log4j.properties
new file mode 100644
index 0000000..51c6fee
--- /dev/null
+++ b/sshd-cli/src/test/resources/log4j.properties
@@ -0,0 +1,38 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+#
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+
+#
+# The logging properties used during tests..
+#
+log4j.rootLogger=INFO, stdout, logfile
+#log4j.logger.org.apache.sshd=TRACE
+#log4j.logger.org.apache.sshd.common.channel.Window=DEBUG
+
+# CONSOLE appender
+log4j.appender.stdout=org.apache.log4j.ConsoleAppender
+log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
+log4j.appender.stdout.layout.ConversionPattern=%d | %-5.5p | %-16.16t | %-32.32c{1} | %-64.64C %4L | %m%n
+
+# File appender
+log4j.appender.logfile=org.apache.log4j.FileAppender
+log4j.appender.logfile.layout=org.apache.log4j.PatternLayout
+log4j.appender.logfile.layout.ConversionPattern=%d | %-5.5p | %-16.16t | %-32.32c{1} | %-64.64C %4L | %m%n
+log4j.appender.logfile.file=target/sshd-cli-tests.log
+log4j.appender.logfile.append=true
diff --git a/sshd-common/src/main/java/org/apache/sshd/server/keyprovider/AbstractGeneratorHostKeyProvider.java b/sshd-common/src/main/java/org/apache/sshd/server/keyprovider/AbstractGeneratorHostKeyProvider.java
index dbd9204..0e348ff 100644
--- a/sshd-common/src/main/java/org/apache/sshd/server/keyprovider/AbstractGeneratorHostKeyProvider.java
+++ b/sshd-common/src/main/java/org/apache/sshd/server/keyprovider/AbstractGeneratorHostKeyProvider.java
@@ -60,7 +60,7 @@ import org.apache.sshd.common.util.security.SecurityUtils;
public abstract class AbstractGeneratorHostKeyProvider
extends AbstractKeyPairProvider
implements AlgorithmNameProvider, KeySizeIndicator {
- public static final String DEFAULT_ALGORITHM = KeyUtils.RSA_ALGORITHM;
+ public static final String DEFAULT_ALGORITHM = KeyUtils.EC_ALGORITHM;
public static final boolean DEFAULT_ALLOWED_TO_OVERWRITE = true;
private final AtomicReference<Iterable<KeyPair>> keyPairHolder = new AtomicReference<>();
diff --git a/sshd-common/src/test/java/org/apache/sshd/server/keyprovider/AbstractGeneratorHostKeyProviderTest.java b/sshd-common/src/test/java/org/apache/sshd/server/keyprovider/AbstractGeneratorHostKeyProviderTest.java
index 79e07a6..fe5c38e 100644
--- a/sshd-common/src/test/java/org/apache/sshd/server/keyprovider/AbstractGeneratorHostKeyProviderTest.java
+++ b/sshd-common/src/test/java/org/apache/sshd/server/keyprovider/AbstractGeneratorHostKeyProviderTest.java
@@ -64,7 +64,6 @@ public class AbstractGeneratorHostKeyProviderTest extends JUnitTestSupport {
private final AtomicInteger writes = new AtomicInteger(0);
private TestProvider(Path file) {
- setKeySize(512);
setPath(file);
}
[mina-sshd] 03/06: [SSHD-1004] Deprecate MD5-based and truncated
HMAC algorithms from default setup.
Posted by lg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
lgoldstein pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mina-sshd.git
commit 04081d71ddb819cebc16a8b84be289b26a7f863e
Author: Lyor Goldstein <lg...@apache.org>
AuthorDate: Fri Jul 31 23:02:35 2020 +0300
[SSHD-1004] Deprecate MD5-based and truncated HMAC algorithms from default setup.
---
CHANGES.md | 9 +++++----
README.md | 5 +++--
.../main/java/org/apache/sshd/common/BaseBuilder.java | 5 +----
.../java/org/apache/sshd/DefaultSetupTestSupport.java | 15 +++++++++++++++
.../java/org/apache/sshd/common/SshBuilderTest.java | 19 -------------------
5 files changed, 24 insertions(+), 29 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index 18b1509..96e094f 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -12,13 +12,9 @@
## Major code re-factoring
-* [SSHD-506](https://issues.apache.org/jira/browse/SSHD-506) Added support for AES-GCM ciphers.
-* [SSHD-1004](https://issues.apache.org/jira/browse/SSHD-1004) Deprecate DES, RC4 and Blowfish ciphers from default setup.
-* [SSHD-1004](https://issues.apache.org/jira/browse/SSHD-1004) Deprecate SHA-1 based key exchanges and signatures.
* [SSHD-1034](https://issues.apache.org/jira/browse/SSHD-1034) Rename `org.apache.sshd.common.ForwardingFilter` to `Forwarder`.
* [SSHD-1035](https://issues.apache.org/jira/browse/SSHD-1035) Move property definitions to common locations.
* [SSHD-1038](https://issues.apache.org/jira/browse/SSHD-1038) Refactor packages from a module into a cleaner hierarchy.
-* [SSHD-1047](https://issues.apache.org/jira/browse/SSHD-1047) Support for SSH jumps.
## Minor code helpers
@@ -28,10 +24,15 @@
## Behavioral changes and enhancements
+* [SSHD-506](https://issues.apache.org/jira/browse/SSHD-506) Added support for AES-GCM ciphers.
+* [SSHD-1004](https://issues.apache.org/jira/browse/SSHD-1004) Deprecate DES, RC4 and Blowfish ciphers from default setup.
+* [SSHD-1004](https://issues.apache.org/jira/browse/SSHD-1004) Deprecate SHA-1 based key exchanges and signatures from default setup.
+* [SSHD-1004](https://issues.apache.org/jira/browse/SSHD-1004) Deprecate MD5-based and truncated HMAC algorithms from default setup.
* [SSHD-1020](https://issues.apache.org/jira/browse/SSHD-1020) SSH connections getting closed abruptly with timeout exceptions.
* [SSHD-1026](https://issues.apache.org/jira/browse/SSHD-1026) Improve build reproductibility.
* [SSHD-1028](https://issues.apache.org/jira/browse/SSHD-1028) Fix SSH_MSG_DISCONNECT: Too many concurrent connections.
* [SSHD-1032](https://issues.apache.org/jira/browse/SSHD-1032) Fix possible ArrayIndexOutOfBoundsException in ChannelAsyncOutputStream.
* [SSHD-1033](https://issues.apache.org/jira/browse/SSHD-1033) Fix simultaneous usage of dynamic and local port forwarding.
* [SSHD-1039](https://issues.apache.org/jira/browse/SSHD-1039) Fix support for some basic options in ssh/sshd cli.
+* [SSHD-1047](https://issues.apache.org/jira/browse/SSHD-1047) Support for SSH jumps.
* [SSHD-1048](https://issues.apache.org/jira/browse/SSHD-1048) Wrap instead of rethrow IOException in Future.
diff --git a/README.md b/README.md
index 69eaa25..564d7a4 100644
--- a/README.md
+++ b/README.md
@@ -77,6 +77,7 @@ the unsafe settings must do so **explicitly**. The following settings have been
* While it refers to Kerberos, it mentions weaknesses in DES as well.
* [OpenSSH release notes](https://www.openssh.com/releasenotes.html) - usually a good indicator of de-facto practices
* SHA-1 based key exchanges and signatures
+* MD5-based and truncated HMAC algorithms
**Caveat:**: According to [RFC 8332 - section 3.31](https://tools.ietf.org/html/rfc8332#section-3.3)
>>
@@ -88,8 +89,8 @@ the unsafe settings must do so **explicitly**. The following settings have been
>> algorithms have been sufficiently widely adopted to warrant disabling "ssh-rsa", clients MAY default to one of
>> the new algorithms.
-This means that users that encounter this problem must modify the supported security settings **explicitly** in
-order to avoid the issue.
+This means that users that encounter this (and related) problems must modify the supported security settings
+**explicitly** in order to avoid the issue.
# [Release notes](./CHANGES.md)
diff --git a/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java b/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java
index d89cadd..9c6f71f 100644
--- a/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java
+++ b/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java
@@ -108,10 +108,7 @@ public class BaseBuilder<T extends AbstractFactoryManager, S extends BaseBuilder
BuiltinMacs.hmacsha1etm,
BuiltinMacs.hmacsha256,
BuiltinMacs.hmacsha512,
- BuiltinMacs.hmacsha1,
- BuiltinMacs.hmacmd5,
- BuiltinMacs.hmacsha196,
- BuiltinMacs.hmacmd596));
+ BuiltinMacs.hmacsha1));
/**
* Preferred {@link BuiltinSignatures} according to
diff --git a/sshd-core/src/test/java/org/apache/sshd/DefaultSetupTestSupport.java b/sshd-core/src/test/java/org/apache/sshd/DefaultSetupTestSupport.java
index 6c393f6..351f3e9 100644
--- a/sshd-core/src/test/java/org/apache/sshd/DefaultSetupTestSupport.java
+++ b/sshd-core/src/test/java/org/apache/sshd/DefaultSetupTestSupport.java
@@ -33,6 +33,8 @@ import org.apache.sshd.common.cipher.Cipher;
import org.apache.sshd.common.helpers.AbstractFactoryManager;
import org.apache.sshd.common.kex.BuiltinDHFactories;
import org.apache.sshd.common.kex.KeyExchange;
+import org.apache.sshd.common.mac.BuiltinMacs;
+import org.apache.sshd.common.mac.Mac;
import org.apache.sshd.common.signature.BuiltinSignatures;
import org.apache.sshd.common.signature.Signature;
import org.apache.sshd.common.util.GenericUtils;
@@ -99,6 +101,19 @@ public abstract class DefaultSetupTestSupport<M extends AbstractFactoryManager>
}
+ @Test
+ public void testDefaultMacsList() {
+ assertSameNamedFactoriesListInstances(
+ Mac.class.getSimpleName(), BaseBuilder.DEFAULT_MAC_PREFERENCE, factory.getMacFactories());
+ }
+
+ @Test
+ public void testNoDeprecatedMacs() {
+ assertNoDeprecatedFactoryInstanceNames(
+ Mac.class.getSimpleName(), EnumSet.of(BuiltinMacs.hmacmd5, BuiltinMacs.hmacmd596, BuiltinMacs.hmacsha196),
+ factory.getMacFactories());
+ }
+
protected static void assertSameNamedResourceListNames(
String hint, List<? extends NamedResource> expected, List<? extends NamedResource> actual) {
int len = GenericUtils.size(expected);
diff --git a/sshd-core/src/test/java/org/apache/sshd/common/SshBuilderTest.java b/sshd-core/src/test/java/org/apache/sshd/common/SshBuilderTest.java
index 736a94a..e28746f 100644
--- a/sshd-core/src/test/java/org/apache/sshd/common/SshBuilderTest.java
+++ b/sshd-core/src/test/java/org/apache/sshd/common/SshBuilderTest.java
@@ -19,13 +19,10 @@
package org.apache.sshd.common;
-import java.util.Collection;
import java.util.List;
-import java.util.Set;
import org.apache.sshd.common.cipher.BuiltinCiphers;
import org.apache.sshd.common.cipher.Cipher;
-import org.apache.sshd.common.mac.BuiltinMacs;
import org.apache.sshd.common.util.GenericUtils;
import org.apache.sshd.util.test.BaseTestSupport;
import org.apache.sshd.util.test.NoIoTestCase;
@@ -45,22 +42,6 @@ public class SshBuilderTest extends BaseTestSupport {
}
/**
- * Make sure that all values in {@link BuiltinMacs} are listed in {@link BaseBuilder#DEFAULT_MAC_PREFERENCE}
- */
- @Test
- public void testAllBuiltinMacsListed() {
- testAllInstancesListed(BuiltinMacs.VALUES, BaseBuilder.DEFAULT_MAC_PREFERENCE);
- }
-
- private static <
- E extends Enum<E>> void testAllInstancesListed(Set<? extends E> expValues, Collection<? extends E> actValues) {
- assertEquals("Mismatched actual values size", expValues.size(), actValues.size());
- for (E expected : expValues) {
- assertTrue(expected.name() + " not found in actual values", actValues.contains(expected));
- }
- }
-
- /**
* Make sure that {@link BaseBuilder#setUpDefaultCiphers(boolean)} returns the correct result - i.e., according to
* the {@code ingoreUnsupported} parameter and in the defined preference order
*/