[
https://issues.apache.org/jira/browse/SSHD-850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16655582#comment-16655582
]
Thomas Wolf commented on SSHD-850:
----------------------------------
I don't quite understand that. As far as I see, KeyPairProviders are intended
to lazily load keys already. Overriding and re-implementing {{doLoadKey(String
resourceKey, InputStream inputStream, FilePasswordProvider provider)}} should
be good enough.
But it remains a big ugly hack in my opinion. Doing it that level requires
guessing things (such as if I get an IOException before I asked for a
passsword, it's some other problem, don't retry, but if I get one after, then
it is in all likelihood an indication of a wrong password). That's why I think
it'd be much better implemented in core, at the place(s) where
{{getPassword()}} is called. There one knows much more, and is not restricted
to guesswork (which may moreover break if the core implementation changes). One
is also still left with the problem of how exactly to pass in the desired
number of attempts. Perhaps through the {{FilePasswordProvider}} or a new
subclass thereof (which could even provide a {{getPasswordAgain()}} method),
but if the same one is used for different sessions, that may still get messy.
But lazy-loading keys is problematic anyway with the default {{SshClient}}
since {{SshClient.connect(HostConfigEntry hostConfig)}} pre-loads all
identities from the {{HostConfigEntry}} anyway. At that point it'll ask for
passwords even for keys that may finally not even be used.
Oh, and the {{ClientIdentityLoader}} would also have to be re-done.
> Add capability to retry a failed private key decryption when client is
> decrypting private key file(s)
> -----------------------------------------------------------------------------------------------------
>
> Key: SSHD-850
> URL: https://issues.apache.org/jira/browse/SSHD-850
> Project: MINA SSHD
> Issue Type: New Feature
> Affects Versions: 2.0.0, 2.1.0
> Reporter: Thomas Wolf
> Priority: Minor
>
> In openssh, the ssh config entry NumberOfPasswordPrompts controls the number
> of times the ssh client keeps asking for a password if the one entered was
> invalid in two cases:
> # keyboard-interactive authentication, and
> # asking for passwords for encrypted private keys in identity files in
> pubkey authentication (see [openssh sources;
> sshconnect2.c|https://github.com/openssh/openssh-portable/blob/1a4a9cf/sshconnect2.c#L1380]).
> sshd-core only has support for (1) through setting the property
> {{ClientAuthenticationManager.PASSWORD_PROMPTS}} in the session's properties.
> There doesn't seem to be any support for FilePasswordProvider to make it
> respect this value.
> {{AbstractPEMResourceKeyPairParser.extractkeyPairs()}} and also
> {{BouncyCastleKeyPairResourceParser.loadKeyPair()}} call
> {{FilePasswordProvider.getPassword()}} exactly once.
> So how can I write a ssh client using sshd that asks the user
> NumberOfPasswordPrompts times? Either I'm missing something, or there is some
> support for this missing in sshd.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
