[ https://issues.apache.org/jira/browse/SSHD-372?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Guillaume Nodet reassigned SSHD-372: ------------------------------------ Assignee: Guillaume Nodet > Server doesn't reject connections that don't send client identification, has > to time out > ---------------------------------------------------------------------------------------- > > Key: SSHD-372 > URL: https://issues.apache.org/jira/browse/SSHD-372 > Project: MINA SSHD > Issue Type: Improvement > Affects Versions: 0.14.0 > Reporter: Robin Stocker > Assignee: Guillaume Nodet > > Given a client that incorrectly tries to connect to Mina SSHD using HTTP > (such as a Git client using an incorrect remote URL), Mina SSHD is much less > strict than OpenSSH. > OpenSSH immediately closes the connection: > {noformat} > $ curl -v http://127.0.0.1:4722/ > * Hostname was NOT found in DNS cache > * Trying 127.0.0.1... > * Connected to 127.0.0.1 (127.0.0.1) port 4722 (#0) > > GET / HTTP/1.1 > > User-Agent: curl/7.37.1 > > Host: 127.0.0.1:4722 > > Accept: */* > > > SSH-2.0-OpenSSH_6.6.1 > Protocol mismatch. > * Connection #0 to host 127.0.0.1 left intact > $ > {noformat} > Mina SSHD (master) waits for further input, and the connection is only closed > when the auth timeout is reached (2 minutes currently): > {noformat} > $ curl -v http://127.0.0.1:51328/ > * Hostname was NOT found in DNS cache > * Trying 127.0.0.1... > * Connected to 127.0.0.1 (127.0.0.1) port 51328 (#0) > > GET / HTTP/1.1 > > User-Agent: curl/7.37.1 > > Host: 127.0.0.1:51328 > > Accept: */* > > > SSH-2.0-SSHD-CORE-0.13.1-SNAPSHOT > {noformat} > (In 0.9, there was also a bug that caused the auth timeout to never be > triggered, but that seems to have been fixed in 0.10 due to the work on > SSHD-282.) > The code for this is in {{AbstractSession#doReadIdentification}}. I'm not > sure if it should be as strict as OpenSSH ([which only looks at the first > line|https://github.com/openssh/openssh-portable/blob/146218ac11a1eb0dcade6f793d7acdef163b5ddc/sshd.c#L472]), > but maybe it would be worth to make this configurable. > A workaround is possible by providing a custom {{SessionFactory}} and > {{ServerSession}} and overriding {{doReadIdentification}}. > For background, see this Stash issue: > https://jira.atlassian.com/browse/STASH-5480 -- This message was sent by Atlassian JIRA (v6.3.4#6332)