-
Notifications
You must be signed in to change notification settings - Fork 358
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
org.apache.sshd.client.global.OpenSshHostKeysHandler should ignore unsupported host keys #434
Comments
On the client side, it should indeed ignore unknown key types (and not do anything if it cannot deal with any of the keys). On the server side, it should fail if it ever gets a key that it cannot handle. And it probably should even check that all the keys it gets in that request are keys the server proposed before. Otherwise some malicious or broken client is sending challenges for keys the server never proposed. |
Seeing this as well. The EdDSA provider from net.i2p.crypto:eddsa is extremely out of date, and doesn't work on newer versions of Java, as it uses removed internal API's. Removing that dependency causes any client connection to our host to log this error. Posting so I can be updated if/when a fix is pushed. |
Change Buffer.getPublicKey() to set the read position to after the key even if reading the key fails. This enables us to continue reading keys from a list of keys in a buffer even when a particular key cannot be decoded. Change the two places where we receive lists of public keys from external sources: from an SSH agent or via the "hostkeys-00@openssh.com" extension. Skip and log keys that cannot be decoded.
Change Buffer.getPublicKey() to set the read position to after the key even if reading the key fails. This enables us to continue reading keys from a list of keys in a buffer even when a particular key cannot be decoded. Change the two places where we receive lists of public keys from external sources: from an SSH agent or via the "hostkeys-00@openssh.com" extension. Skip and log keys that cannot be decoded.
Change Buffer.getPublicKey() to set the read position to after the key even if reading the key fails. This enables us to continue reading keys from a list of keys in a buffer even when a particular key cannot be decoded. Change the two places where we receive lists of public keys from external sources: from an SSH agent or via the "hostkeys-00@openssh.com" extension. Skip and log keys that cannot be decoded.
Version
2.9.2
Bug description
When receiving
hostkeys-00@openssh.com
request, client by default usesorg.apache.sshd.client.global.OpenSshHostKeysHandler
to process it. This handler'shandleHostKeys
method does nothing but logging keys when debug is enabled.But there is no exception handling in parent
org.apache.sshd.common.global.org.apache.sshd.common.global.AbstractOpenSshHostKeysHandler
class.Therefore if the host sends two keys (one RSA and one EdDSA for example), but the client only supports RSA, the exception is being propagated from the
org.apache.sshd.common.global.AbstractOpenSshHostKeysHandler#process
method andthe host's request is processed as failed and the WARN message is generated in logs.
Actual behavior
Example:
WARN 40340 --- []-nio2-thread-3] o.a.s.c.session.ClientConnectionService : globalRequest(ClientConnectionService[ClientSessionImpl[test@localhost/127.0.0.1:2222]])[hostkeys-00@openssh.com, want-reply=false] failed (SshException) to process: EdDSA provider not supported
Expected behavior
No warns are logged, and only the supported keys are handled by
org.apache.sshd.client.global.OpenSshHostKeysHandler#handleHostKeys
Relevant log output
Other information
No response
The text was updated successfully, but these errors were encountered: