Robin Stocker created SSHD-372:
----------------------------------
Summary: Server doesn't reject connections that don't send client
identification, has to time out
Key: SSHD-372
URL: https://issues.apache.org/jira/browse/SSHD-372
Project: MINA SSHD
Issue Type: Improvement
Affects Versions: 0.14.0
Reporter: Robin Stocker
Given a client that incorrectly tries to connect to Mina SSHD using HTTP (such
as a Git client using an incorrect remote URL), Mina SSHD is much less strict
than OpenSSH.
OpenSSH immediately closes the connection:
{noformat}
$ curl -v http://127.0.0.1:4722/
* Hostname was NOT found in DNS cache
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 4722 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.37.1
> Host: 127.0.0.1:4722
> Accept: */*
>
SSH-2.0-OpenSSH_6.6.1
Protocol mismatch.
* Connection #0 to host 127.0.0.1 left intact
$
{noformat}
Mina SSHD (master) waits for further input, and the connection is only closed
when the auth timeout is reached (2 minutes currently):
{noformat}
$ curl -v http://127.0.0.1:51328/
* Hostname was NOT found in DNS cache
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 51328 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.37.1
> Host: 127.0.0.1:51328
> Accept: */*
>
SSH-2.0-SSHD-CORE-0.13.1-SNAPSHOT
{noformat}
(In 0.9, there was also a bug that caused the auth timeout to never be
triggered, but that seems to have been fixed in 0.10 due to the work on
SSHD-282.)
The code for this is in {{AbstractSession#doReadIdentification}}. I'm not sure
if it should be as strict as OpenSSH ([which only looks at the first
line|https://github.com/openssh/openssh-portable/blob/146218ac11a1eb0dcade6f793d7acdef163b5ddc/sshd.c#L472]),
but maybe it would be worth to make this configurable.
A workaround is possible by providing a custom {{SessionFactory}} and
{{ServerSession}} and overriding {{doReadIdentification}}.
For background, see this Stash issue:
https://jira.atlassian.com/browse/STASH-5480
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
