[
https://issues.apache.org/jira/browse/SSHD-372?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14222768#comment-14222768
]
Robin Stocker commented on SSHD-372:
------------------------------------
Also see section 4.2 in [RFC 4253|http://www.ietf.org/rfc/rfc4253.txt]:
{quote}
When the connection has been established, both sides MUST send an
identification string. This identification string MUST be
SSH-protoversion-softwareversion SP comments CR LF
{quote}
> Server doesn't reject connections that don't send client identification, has
> to time out
> ----------------------------------------------------------------------------------------
>
> Key: SSHD-372
> URL: https://issues.apache.org/jira/browse/SSHD-372
> Project: MINA SSHD
> Issue Type: Improvement
> Affects Versions: 0.14.0
> Reporter: Robin Stocker
>
> Given a client that incorrectly tries to connect to Mina SSHD using HTTP
> (such as a Git client using an incorrect remote URL), Mina SSHD is much less
> strict than OpenSSH.
> OpenSSH immediately closes the connection:
> {noformat}
> $ curl -v http://127.0.0.1:4722/
> * Hostname was NOT found in DNS cache
> * Trying 127.0.0.1...
> * Connected to 127.0.0.1 (127.0.0.1) port 4722 (#0)
> > GET / HTTP/1.1
> > User-Agent: curl/7.37.1
> > Host: 127.0.0.1:4722
> > Accept: */*
> >
> SSH-2.0-OpenSSH_6.6.1
> Protocol mismatch.
> * Connection #0 to host 127.0.0.1 left intact
> $
> {noformat}
> Mina SSHD (master) waits for further input, and the connection is only closed
> when the auth timeout is reached (2 minutes currently):
> {noformat}
> $ curl -v http://127.0.0.1:51328/
> * Hostname was NOT found in DNS cache
> * Trying 127.0.0.1...
> * Connected to 127.0.0.1 (127.0.0.1) port 51328 (#0)
> > GET / HTTP/1.1
> > User-Agent: curl/7.37.1
> > Host: 127.0.0.1:51328
> > Accept: */*
> >
> SSH-2.0-SSHD-CORE-0.13.1-SNAPSHOT
> {noformat}
> (In 0.9, there was also a bug that caused the auth timeout to never be
> triggered, but that seems to have been fixed in 0.10 due to the work on
> SSHD-282.)
> The code for this is in {{AbstractSession#doReadIdentification}}. I'm not
> sure if it should be as strict as OpenSSH ([which only looks at the first
> line|https://github.com/openssh/openssh-portable/blob/146218ac11a1eb0dcade6f793d7acdef163b5ddc/sshd.c#L472]),
> but maybe it would be worth to make this configurable.
> A workaround is possible by providing a custom {{SessionFactory}} and
> {{ServerSession}} and overriding {{doReadIdentification}}.
> For background, see this Stash issue:
> https://jira.atlassian.com/browse/STASH-5480
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
