[
https://issues.apache.org/jira/browse/SSHD-372?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14316491#comment-14316491
]
Guillaume Nodet commented on SSHD-372:
--------------------------------------
The spec also says:
The server MAY send other lines of data before sending the version
string. Each line SHOULD be terminated by a Carriage Return and Line
Feed. Such lines MUST NOT begin with "SSH-", and SHOULD be encoded
in ISO-10646 UTF-8 [RFC3629] (language is not specified). Clients
MUST be able to process such lines. Such lines MAY be silently
ignored, or MAY be displayed to the client user. If they are
displayed, control character filtering, as discussed in [SSH-ARCH],
SHOULD be used. The primary use of this feature is to allow TCP-
wrappers to display an error message before disconnecting.
That's why the code is written this way. But this only apply to the client
side, so i'll enhance the server to fail fast.
> Server doesn't reject connections that don't send client identification, has
> to time out
> ----------------------------------------------------------------------------------------
>
> Key: SSHD-372
> URL: https://issues.apache.org/jira/browse/SSHD-372
> Project: MINA SSHD
> Issue Type: Improvement
> Affects Versions: 0.14.0
> Reporter: Robin Stocker
> Assignee: Guillaume Nodet
> Fix For: 0.14.0
>
>
> Given a client that incorrectly tries to connect to Mina SSHD using HTTP
> (such as a Git client using an incorrect remote URL), Mina SSHD is much less
> strict than OpenSSH.
> OpenSSH immediately closes the connection:
> {noformat}
> $ curl -v http://127.0.0.1:4722/
> * Hostname was NOT found in DNS cache
> * Trying 127.0.0.1...
> * Connected to 127.0.0.1 (127.0.0.1) port 4722 (#0)
> > GET / HTTP/1.1
> > User-Agent: curl/7.37.1
> > Host: 127.0.0.1:4722
> > Accept: */*
> >
> SSH-2.0-OpenSSH_6.6.1
> Protocol mismatch.
> * Connection #0 to host 127.0.0.1 left intact
> $
> {noformat}
> Mina SSHD (master) waits for further input, and the connection is only closed
> when the auth timeout is reached (2 minutes currently):
> {noformat}
> $ curl -v http://127.0.0.1:51328/
> * Hostname was NOT found in DNS cache
> * Trying 127.0.0.1...
> * Connected to 127.0.0.1 (127.0.0.1) port 51328 (#0)
> > GET / HTTP/1.1
> > User-Agent: curl/7.37.1
> > Host: 127.0.0.1:51328
> > Accept: */*
> >
> SSH-2.0-SSHD-CORE-0.13.1-SNAPSHOT
> {noformat}
> (In 0.9, there was also a bug that caused the auth timeout to never be
> triggered, but that seems to have been fixed in 0.10 due to the work on
> SSHD-282.)
> The code for this is in {{AbstractSession#doReadIdentification}}. I'm not
> sure if it should be as strict as OpenSSH ([which only looks at the first
> line|https://github.com/openssh/openssh-portable/blob/146218ac11a1eb0dcade6f793d7acdef163b5ddc/sshd.c#L472]),
> but maybe it would be worth to make this configurable.
> A workaround is possible by providing a custom {{SessionFactory}} and
> {{ServerSession}} and overriding {{doReadIdentification}}.
> For background, see this Stash issue:
> https://jira.atlassian.com/browse/STASH-5480
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
