[jira] [Commented] (SSHD-1218) Pubkey auth: keys from ssh-agent are used even if HostConfigEntry.isIdentitiesOnly() is true

Sat, 23 Oct 2021 15:05:08 -0700 


    [ 
https://issues.apache.org/jira/browse/SSHD-1218?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17433374#comment-17433374
 ] 

Thomas Wolf commented on SSHD-1218:
-----------------------------------

The order in OpenSSH is
 # certificates listed in the config file
 # other input certificates
 # agent keys that are found in the config file
 # other agent keys
 # keys that are only listed in the config file

See 
https://github.com/openssh/openssh-portable/blob/d575cf44895104e0fcb0629920fb645207218129/sshconnect2.c#L1635

The Apache MINA sshd order doesn't match that anyway. But the other three 
points can be fixed easily enough.

> Pubkey auth: keys from ssh-agent are used even if 
> HostConfigEntry.isIdentitiesOnly() is true
> --------------------------------------------------------------------------------------------
>
>                 Key: SSHD-1218
>                 URL: https://issues.apache.org/jira/browse/SSHD-1218
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 2.7.0
>            Reporter: Thomas Wolf
>            Priority: Major
>
> {{UserAuthPublicKeyIterator}} unconditionally includes keys from the SSH 
> agent if there is an {{SshAgentFactory}}. This should be done only if 
> {{!HostConfigEntry.isIdentitiesOnly()}}.
> Also, there is a completely superfluous requirement that the SshAgentFactory 
> return a non-null {{SshAgent}} in that iterator. 
> {{UserAuthPublicKeyIterator.initializeAgentIdentities()}} could just return 
> {{null}} in that case.
> Furthermore it would be useful if the session was passed through to 
> {{SshAgentFactory.createAgent()}}.
> Finally, the ordering of keys from different sources seems to be strange. 
> Agent keys always come first, then the session keys. The session keys are the 
> ones set explicitly, plus then the default keys. So the order is <agent, 
> explicit, default>. I think this should be <explicit, agent, default>.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to