David Karlsen managed to find what I'm going to call a "difference" in
Wagon SSH :)
Affected: users that have a plaintext password for ssh in settings.xml
with keyboard-interactive and plaintext password authentication
enabled on the server and no private key being used.
Explanation:
In beta-2, the keyboard-interactive method used the
TraditionalKeyboardInteractive class in Wagon which had a hack in it
that if it was asking for a password, would pass back the one from the
settings. More than a year ago the default handler was switched to one
that prompts (which could conceivably hide passwords with jline) [1].
As a consequence, keyboard-interactive now prompts for a password,
even if the password is in the settings. I think this is technically
the correct behaviour for Wagon - if the server doesn't allow
plaintext passwords, but does allow keyboard interactive, I don't
think we should be passing in the password from settings.xml.
The improved fix I put in place is to tell the server you'd prefer to
auth by plaintext password first, if it is given [2]. If the server
rejects that, then you get keyboard-interactive.
Even though the new behaviour is correct in some regards, it is not
intuitive for Maven users. The user workarounds are:
* add a build extension for wagon 1.0-beta-2 / 1.0-beta-5-SNAPSHOT
(obviously preferable)
* set AllowChallengeResponse no on the ssh server
* don't use plaintext passwords
Instead of needing a Wagon release, I was able to put a
straightforward (but temporary, to be removed after a later wagon
upgrade) fix in to Maven [3].
Cheers,
Brett
[1]
http://svn.apache.org/viewvc/maven/wagon/trunk/wagon-providers/wagon-ssh/src/main/java/org/apache/maven/wagon/providers/ssh/jsch/AbstractJschWagon.java?view=diff&r1=515352&r2=515353
[2]
http://svn.apache.org/viewvc/maven/wagon/trunk/wagon-providers/wagon-ssh/src/main/java/org/apache/maven/wagon/providers/ssh/jsch/AbstractJschWagon.java?view=diff&r1=686208&r2=686209
[3] http://svn.apache.org/viewvc?rev=686244&view=rev
On 15/08/2008, at 2:28 PM, John Casey wrote:
Hi,
As you've undoubtedly noticed, the RC7 distro didn't last very long
before a nasty bug showed up...actually two, but they were related.
At any rate, they're fixed, and here is yet another release
candidate. You can get RC8 here:
http://people.apache.org/~jdcasey/stage/apache-maven/2.0.10-RC8/org/apache/maven/apache-maven/2.0.10-RC8
Thanks for your patience during this release process. I know it's
drawn out and getting a little old, but we're getting there. The
bottom line is: we need many, many more integration tests to shorten
this process. For now, all we can do is add use cases as we come
across them.
Good luck, and happy testing!
-john
--
John Casey
Developer, PMC Member - Apache Maven (http://maven.apache.org)
Blog: http://www.ejlife.net/blogs/buildchimp/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Brett Porter
[EMAIL PROTECTED]
http://blogs.exist.com/bporter/
