[
https://issues.apache.org/jira/browse/SSHD-1063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17184604#comment-17184604
]
Lyor Goldstein commented on SSHD-1063:
--------------------------------------
I have written a unit test that duplicates the flow you mention (see
{{KnownHostsServerKeyVerifierTest#testUpdateSameHostWithDifferentPort}} at
[https://github.com/lgoldstein/mina-sshd/tree/SSHD-1063]) and cannot reproduce
it. It seems like there is more going on here than what you describe. Can you
reproduce the behavior and do the following:
* In your code replace the {{((sshClientSession, remoteAddress, serverKey) ->
true)}} and {{(clientSession, remoteAddress, entry, expected, actual) ->
false}} to include some logging about being invoked - make sure to include the
public key +fingerprint+ in the log message (see {{KeyUtils#getFingerPrint}}
method).
* Start with an empty/non-existing {{/tmp/known_hosts}}
* Connect to port 20 and then disconnect
* Take a "snapshot" of the {{/tmp/known_hosts}} file (simply +copy +it to some
other location - let's call it {{known-22}})
* Try connecting to +same host+ on port 2020 - make sure server key validation
fails as before
* Take another "snapshot" of the {{/tmp/known_hosts}} file let's call it
{{known-2020}})
Attach the 2 files to this issue. I would also recommend enabling the DEBUG
logging for {{KnownHostsServerKeyVerifier}} and attaching its log as well.
Hopefully it may clarify the issue...
Repeat the above, only this time 1st connect to 2020 and thenĀ to 22
> KnownHostsServerKeyVerifier fail with alternative ports (non 22/TCP)
> --------------------------------------------------------------------
>
> Key: SSHD-1063
> URL: https://issues.apache.org/jira/browse/SSHD-1063
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 2.5.1
> Reporter: Guillermo Grandes
> Assignee: Lyor Goldstein
> Priority: Minor
>
> First connection, to port 22, create entry in known_hosts (this is OK).
> {code:none}
> 2020-08-21 18:09:56.249 [connection:host-1-p22-1] [INFO] SSHClient -
> Connecting to: [email protected]:22
> 2020-08-21 18:09:56.489 [connection:host-1-p22-1] [INFO] SSHClient - Session
> established: [email protected]:22
> {code}
> After disconnect, a second connection, but to port 2020, same IP but another
> port (responded by another ssh-service), connection fails (detect changed
> key, this is bad).
> {code:none}
> 2020-08-21 18:10:02.174 [connection:host-1-p2020-1] [INFO] SSHClient -
> Connecting to: [email protected]:2020
> 2020-08-21 18:10:02.529 [sshd-SshClient[47d4d899]-nio2-thread-9] [WARN]
> ClientSessionImpl -
> exceptionCaught(ClientSessionImpl[test-sshd@hostname/192.168.7.5:2020])[state=Opened]
> SshException: Server key did not validate
> 2020-08-21 18:10:02.529 [sshd-SshClient[47d4d899]-nio2-thread-9] [INFO]
> ClientSessionImpl -
> Disconnecting(ClientSessionImpl[test-sshd@hostname/192.168.7.5:2020]):
> SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE - Server key did not validate
> 2020-08-21 18:10:02.529 [sshd-SshClient[47d4d899]-nio2-thread-9] [WARN]
> ClientSessionImpl -
> disconnect(ClientSessionImpl[test-sshd@hostname/192.168.7.5:2020]) operation
> failed (ClosedChannelException) for
> reason=SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE [Server key did not validate]:
> null
> 2020-08-21 18:10:02.529 [connection:host-1-p2020-1] [ERROR] SSHClient -
> IOException: org.apache.sshd.common.SshException: Server key did not validate
> {code}
> If the first connection is to port 2020, and second is to port 22, two
> entries are created in known_hosts and all works fine.
> To reproduce, with this snippet of code:
> {code:java}
> final File knownHost = new File("/tmp/known_hosts");
> knownHost.delete();
> knownHost.createNewFile();
> KnownHostsServerKeyVerifier hostVerifier = new
> KnownHostsServerKeyVerifier(((sshClientSession, remoteAddress, serverKey) ->
> true), knownHost.toPath()); // Accept unknown
> hostVerifier.setModifiedServerKeyAcceptor((clientSession, remoteAddress,
> entry, expected, actual) -> false); // Reject modified
> SshClient client = SshClient.setUpDefaultClient();
> client.setServerKeyVerifier(hostVerifier);
> client.start();
> // ...etc...
> {code}
> * Connect to server A, port 22.
> * Connect to server A, port 2020 (for test, I'm using rinetd redirecting 2020
> in server A to server B in port 22).
> My intuition tells me that the solution (or maybe workaround) could be this
> little change:
> {code:java}
> // class: org.apache.sshd.client.config.hosts.KnownHostHashValue
> public static <A extends Appendable> A appendHostPattern(A sb, String
> host, int port) throws IOException {
> - boolean nonDefaultPort = (port > 0) && (port !=
> SshConstants.DEFAULT_PORT);
> + boolean nonDefaultPort = true;
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
