Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

org.apache.sshd.client.global.OpenSshHostKeysHandler should ignore unsupported host keys #434

Closed
stasal opened this issue Nov 18, 2023 · 2 comments · Fixed by #451
Closed

org.apache.sshd.client.global.OpenSshHostKeysHandler should ignore unsupported host keys #434

stasal opened this issue Nov 18, 2023 · 2 comments · Fixed by #451
Assignees
@tomaswolf
Labels
bug An issue describing a bug in the code
Milestone
2.12.0

Comments

@stasal
Copy link

stasal commented Nov 18, 2023
edited
Loading

Version

2.9.2

Bug description

When receiving hostkeys-00@openssh.com request, client by default uses org.apache.sshd.client.global.OpenSshHostKeysHandler to process it. This handler's handleHostKeys method does nothing but logging keys when debug is enabled.

But there is no exception handling in parent org.apache.sshd.common.global.org.apache.sshd.common.global.AbstractOpenSshHostKeysHandler class.

Therefore if the host sends two keys (one RSA and one EdDSA for example), but the client only supports RSA, the exception is being propagated from the org.apache.sshd.common.global.AbstractOpenSshHostKeysHandler#process method and
the host's request is processed as failed and the WARN message is generated in logs.

Actual behavior

Example:
WARN 40340 --- []-nio2-thread-3] o.a.s.c.session.ClientConnectionService : globalRequest(ClientConnectionService[ClientSessionImpl[test@localhost/127.0.0.1:2222]])[hostkeys-00@openssh.com, want-reply=false] failed (SshException) to process: EdDSA provider not supported

Expected behavior

No warns are logged, and only the supported keys are handled by org.apache.sshd.client.global.OpenSshHostKeysHandler#handleHostKeys

Relevant log output

WARN 40340 --- []-nio2-thread-3] o.a.s.c.session.ClientConnectionService  : globalRequest(ClientConnectionService[ClientSessionImpl[test@localhost/127.0.0.1:2222]])[hostkeys-00@openssh.com, want-reply=false] failed (SshException) to process: EdDSA provider not supported

org.apache.sshd.common.SshException: EdDSA provider not supported
	at org.apache.sshd.common.util.buffer.Buffer.getRawPublicKey(Buffer.java:544) ~[sshd-common-2.9.2.jar:2.9.2]
	at org.apache.sshd.common.util.buffer.Buffer.getPublicKey(Buffer.java:519) ~[sshd-common-2.9.2.jar:2.9.2]
	at org.apache.sshd.common.global.AbstractOpenSshHostKeysHandler.process(AbstractOpenSshHostKeysHandler.java:73) ~[sshd-core-2.9.2.jar:2.9.2]
	at org.apache.sshd.common.global.AbstractOpenSshHostKeysHandler.process(AbstractOpenSshHostKeysHandler.java:38) ~[sshd-core-2.9.2.jar:2.9.2]
	at org.apache.sshd.common.session.helpers.AbstractConnectionService.globalRequest(AbstractConnectionService.java:868) ~[sshd-core-2.9.2.jar:2.9.2]
	at org.apache.sshd.common.session.helpers.AbstractConnectionService.process(AbstractConnectionService.java:486) ~[sshd-core-2.9.2.jar:2.9.2]
	at org.apache.sshd.common.session.helpers.CurrentService.process(CurrentService.java:109) ~[sshd-core-2.9.2.jar:2.9.2]
	at org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:591) ~[sshd-core-2.9.2.jar:2.9.2]
	at org.apache.sshd.common.session.helpers.AbstractSession.lambda$handleMessage$0(AbstractSession.java:522) ~[sshd-core-2.9.2.jar:2.9.2]
	at org.apache.sshd.common.util.threads.ThreadUtils.runAsInternal(ThreadUtils.java:68) ~[sshd-common-2.9.2.jar:2.9.2]
	at org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(AbstractSession.java:521) ~[sshd-core-2.9.2.jar:2.9.2]
	at org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSession.java:1639) ~[sshd-core-2.9.2.jar:2.9.2]
	at org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:482) ~[sshd-core-2.9.2.jar:2.9.2]
	at org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:64) ~[sshd-core-2.9.2.jar:2.9.2]
	at org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:407) ~[sshd-core-2.9.2.jar:2.9.2]
	at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:380) ~[sshd-core-2.9.2.jar:2.9.2]
	at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:375) ~[sshd-core-2.9.2.jar:2.9.2]
	at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Nio2CompletionHandler.java:38) ~[sshd-core-2.9.2.jar:2.9.2]
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:318) ~[na:na]
	at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:37) ~[sshd-core-2.9.2.jar:2.9.2]
	at java.base/sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:129) ~[na:na]
	at java.base/sun.nio.ch.Invoker$2.run(Invoker.java:221) ~[na:na]
	at java.base/sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:113) ~[na:na]
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) ~[na:na]
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[na:na]
	at java.base/java.lang.Thread.run(Thread.java:840) ~[na:na]
Caused by: java.security.NoSuchAlgorithmException: EdDSA provider not supported
	at org.apache.sshd.common.util.security.SecurityUtils.generateEDDSAPublicKey(SecurityUtils.java:627) ~[sshd-common-2.9.2.jar:2.9.2]
	at org.apache.sshd.common.util.buffer.keys.ED25519BufferPublicKeyParser.getRawPublicKey(ED25519BufferPublicKeyParser.java:46) ~[sshd-common-2.9.2.jar:2.9.2]
	at org.apache.sshd.common.util.buffer.keys.BufferPublicKeyParser$2.getRawPublicKey(BufferPublicKeyParser.java:102) ~[sshd-common-2.9.2.jar:2.9.2]
	at org.apache.sshd.common.util.buffer.Buffer.getRawPublicKey(Buffer.java:542) ~[sshd-common-2.9.2.jar:2.9.2]
	... 25 common frames omitted

Other information

No response
@stasal stasal changed the title org.apache.sshd.client.global.OpenSshHostKeysHandler should probably ignore unsupported host keys org.apache.sshd.client.global.OpenSshHostKeysHandler should ignore unsupported host keys Nov 18, 2023
@tomaswolf tomaswolf added the bug An issue describing a bug in the code label Dec 14, 2023
@tomaswolf
Copy link
Member

On the client side, it should indeed ignore unknown key types (and not do anything if it cannot deal with any of the keys).

On the server side, it should fail if it ever gets a key that it cannot handle. And it probably should even check that all the keys it gets in that request are keys the server proposed before. Otherwise some malicious or broken client is sending challenges for keys the server never proposed.

@ThadHouse
Copy link

ThadHouse commented Dec 18, 2023
edited
Loading

Seeing this as well. The EdDSA provider from net.i2p.crypto:eddsa is extremely out of date, and doesn't work on newer versions of Java, as it uses removed internal API's. Removing that dependency causes any client connection to our host to log this error. Posting so I can be updated if/when a fix is pushed.

tomaswolf added a commit to tomaswolf/mina-sshd that referenced this issue Jan 7, 2024
@tomaswolf
apacheGH-434: skip unknown public keys from external sources
e37bcc6 
Change Buffer.getPublicKey() to set the read position to after the key
even if reading the key fails. This enables us to continue reading keys
from a list of keys in a buffer even when a particular key cannot be
decoded.

Change the two places where we receive lists of public keys from
external sources: from an SSH agent or via the "hostkeys-00@openssh.com"
extension. Skip and log keys that cannot be decoded.
@tomaswolf tomaswolf mentioned this issue Jan 7, 2024
Merged
@tomaswolf tomaswolf self-assigned this Jan 7, 2024
tomaswolf added a commit to tomaswolf/mina-sshd that referenced this issue Jan 7, 2024
@tomaswolf
apacheGH-434: skip unknown public keys from external sources
62506bf 
Change Buffer.getPublicKey() to set the read position to after the key
even if reading the key fails. This enables us to continue reading keys
from a list of keys in a buffer even when a particular key cannot be
decoded.

Change the two places where we receive lists of public keys from
external sources: from an SSH agent or via the "hostkeys-00@openssh.com"
extension. Skip and log keys that cannot be decoded.
tomaswolf added a commit to tomaswolf/mina-sshd that referenced this issue Jan 9, 2024
@tomaswolf
apacheGH-434: skip unknown public keys from external sources
72acfbf 
Change Buffer.getPublicKey() to set the read position to after the key
even if reading the key fails. This enables us to continue reading keys
from a list of keys in a buffer even when a particular key cannot be
decoded.

Change the two places where we receive lists of public keys from
external sources: from an SSH agent or via the "hostkeys-00@openssh.com"
extension. Skip and log keys that cannot be decoded.
@tomaswolf tomaswolf added this to the 2.12.0 milestone Jan 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tomaswolf tomaswolf

Labels
bug An issue describing a bug in the code
Projects
None yet
Milestone
2.12.0
Development

Successfully merging a pull request may close this issue.

GH-434: skip unknown public keys from external sources tomaswolf/mina-sshd
3 participants
@stasal @ThadHouse @tomaswolf