[
https://issues.apache.org/jira/browse/SSHD-300?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13936335#comment-13936335
]
Guillaume Nodet commented on SSHD-300:
--------------------------------------
The patch isn't correct as the client could send several requests with
different keys and the second key would simply be acknowledge without any
verification.
What you need is a PublickeyAuthenticator that would cache the key verification
for a given session and delegate to the real one. The result could be stored
in a map indexed by the session and the map would be cleared when the session
is closed (this can be done by adding a listener to the session).
Here's one which seems to work, though I haven't committed yet:
{code}
public class CachingPublicKeyAuthenticator implements PublickeyAuthenticator,
SessionListener {
private final PublickeyAuthenticator authenticator;
private final Map<ServerSession, Map<PublicKey, Boolean>> cache = new
ConcurrentHashMap<ServerSession, Map<PublicKey, Boolean>>();
public CachingPublicKeyAuthenticator(PublickeyAuthenticator authenticator) {
this.authenticator = authenticator;
}
public boolean authenticate(String username, PublicKey key, ServerSession
session) {
Map<PublicKey, Boolean> map = cache.get(session);
if (map == null) {
map = new HashMap<PublicKey, Boolean>();
cache.put(session, map);
session.addListener(this);
}
if (map.containsKey(key)) {
return map.get(key);
}
boolean result = authenticator.authenticate(username, key, session);
map.put(key, result);
return result;
}
public void sessionCreated(Session session) {
}
public void sessionEvent(Session sesssion, Event event) {
}
public void sessionClosed(Session session) {
cache.remove(session);
}
}
{code}
> Double public key authentication
> --------------------------------
>
> Key: SSHD-300
> URL: https://issues.apache.org/jira/browse/SSHD-300
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 0.10.1
> Reporter: David Ostrovsky
> Priority: Minor
> Attachments:
> 0001-SSHD-300-Prevent-double-public-key-authentication.patch
>
>
> PublickeyAuthenticator.authenticate() method is called twice, even though the
> first call of this method already authenticated the user and returned true.
> This is a preformance issue, as server may need to hit database/caches to
> retrieve the list of public key(s) for the user to preform the check against.
> Or the authenticate() implementation needs to be adjusted to preform the
> check that the user was alreay authenticated.
> Reproducer patch is attaced. The problem only occurs when the test is called
> from open SSH client. Own SSHD's client works as expected.
> To reproduce, start the attached unit test as Java application, and issue the
> command:
> ssh localhost -p 29418 -l joe
> [1] https://gerrit-review.googlesource.com/55193
>
--
This message was sent by Atlassian JIRA
(v6.2#6252)
