[
https://issues.apache.org/jira/browse/SSHD-1229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sergey Panov updated SSHD-1229:
-------------------------------
Description:
Hello,
I've come across that the
org.apache.sshd.client.session.ClientUserAuthService#clientMethods list could
be iterated over and over again until a client terminates connection. This
happens when a server requires two-factor authentication. Despite RFC 4252
[Page 5] ([https://www.ietf.org/rfc/rfc4252.txt)] recommends the server
returning only authentication methods that have not been successfully
completed, some implementations ignore this. If the authentication is partially
successful, but the server returns the same list of authentication methods, the
0th client authentication method will be used repeatedly.
{code:java}
protected void processUserAuth(Buffer buffer) throws Exception {
...
if (cmd == SshConstants.SSH_MSG_USERAUTH_FAILURE) {
String mths = buffer.getString();
boolean partial = buffer.getBoolean();
if (log.isDebugEnabled()) {
log.debug("processUserAuth({}) Received
SSH_MSG_USERAUTH_FAILURE - partial={}, methods={}",
session, partial, mths);
}
if (partial || (serverMethods == null)) {
serverMethods = Arrays.asList(GenericUtils.split(mths, ','));
// If a server is always returning the same list of methods, the "next" client
method in clientMethods will be on index 0
currentMethod = 0;
if (userAuth != null) {
try {
try {
userAuth.signalAuthMethodFailure(
session, service, partial,
Collections.unmodifiableList(serverMethods), buffer);
} finally {
userAuth.destroy();
}
} finally {
userAuth = null;
}
}
} tryNext(cmd);
return;
}
...
}{code}
{code:java}
protected void tryNext(int cmd) throws Exception {
ClientSession session = getClientSession();
// Loop until we find something to try
for (boolean debugEnabled = log.isDebugEnabled();; debugEnabled =
log.isDebugEnabled()) {
...
String method = null;
for (; currentMethod < clientMethods.size(); currentMethod++) {
method = clientMethods.get(currentMethod); // Always selects the
0th client method when the previous authentication method was "partially
successful"
if (serverMethods.contains(method)) {
break;
}
}
...
}
} {code}
was:
Hello,
I've come across that the
org.apache.sshd.client.session.ClientUserAuthService#clientMethods list could
be iterated over and over again until a client terminates connection. This
happens when a server requires two-factor authentication. Despite RFC 4252
([https://www.ietf.org/rfc/rfc4252.txt)] recommends the server returning only
authentication methods that have not been successfully completed, some
implementations ignore this. If the authentication is partially successful, but
the server returns the same list of authentication methods, the 0th client
authentication method will be used repeatedly.
{code:java}
protected void processUserAuth(Buffer buffer) throws Exception {
...
if (cmd == SshConstants.SSH_MSG_USERAUTH_FAILURE) {
String mths = buffer.getString();
boolean partial = buffer.getBoolean();
if (log.isDebugEnabled()) {
log.debug("processUserAuth({}) Received
SSH_MSG_USERAUTH_FAILURE - partial={}, methods={}",
session, partial, mths);
}
if (partial || (serverMethods == null)) {
serverMethods = Arrays.asList(GenericUtils.split(mths, ','));
// If a server is always returning the same list of methods, the "next" client
method in clientMethods will be on index 0
currentMethod = 0;
if (userAuth != null) {
try {
try {
userAuth.signalAuthMethodFailure(
session, service, partial,
Collections.unmodifiableList(serverMethods), buffer);
} finally {
userAuth.destroy();
}
} finally {
userAuth = null;
}
}
} tryNext(cmd);
return;
}
...
}{code}
{code:java}
protected void tryNext(int cmd) throws Exception {
ClientSession session = getClientSession();
// Loop until we find something to try
for (boolean debugEnabled = log.isDebugEnabled();; debugEnabled =
log.isDebugEnabled()) {
...
String method = null;
for (; currentMethod < clientMethods.size(); currentMethod++) {
method = clientMethods.get(currentMethod); // Always selects the
0th client method when the previous authentication method was "partially
successful"
if (serverMethods.contains(method)) {
break;
}
}
...
}
} {code}
> Infinite clientMethods iteration in ClientUserAuthService
> ---------------------------------------------------------
>
> Key: SSHD-1229
> URL: https://issues.apache.org/jira/browse/SSHD-1229
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 2.7.0
> Reporter: Sergey Panov
> Priority: Major
>
> Hello,
>
> I've come across that the
> org.apache.sshd.client.session.ClientUserAuthService#clientMethods list could
> be iterated over and over again until a client terminates connection. This
> happens when a server requires two-factor authentication. Despite RFC 4252
> [Page 5] ([https://www.ietf.org/rfc/rfc4252.txt)] recommends the server
> returning only authentication methods that have not been successfully
> completed, some implementations ignore this. If the authentication is
> partially successful, but the server returns the same list of authentication
> methods, the 0th client authentication method will be used repeatedly.
> {code:java}
> protected void processUserAuth(Buffer buffer) throws Exception {
> ...
> if (cmd == SshConstants.SSH_MSG_USERAUTH_FAILURE) {
> String mths = buffer.getString();
> boolean partial = buffer.getBoolean();
> if (log.isDebugEnabled()) {
> log.debug("processUserAuth({}) Received
> SSH_MSG_USERAUTH_FAILURE - partial={}, methods={}",
> session, partial, mths);
> }
> if (partial || (serverMethods == null)) {
> serverMethods = Arrays.asList(GenericUtils.split(mths, ','));
> // If a server is always returning the same list of methods, the "next"
> client method in clientMethods will be on index 0
> currentMethod = 0;
> if (userAuth != null) {
> try {
> try {
> userAuth.signalAuthMethodFailure(
> session, service, partial,
> Collections.unmodifiableList(serverMethods), buffer);
> } finally {
> userAuth.destroy();
> }
> } finally {
> userAuth = null;
> }
> }
> } tryNext(cmd);
> return;
> }
> ...
> }{code}
>
> {code:java}
> protected void tryNext(int cmd) throws Exception {
> ClientSession session = getClientSession();
> // Loop until we find something to try
> for (boolean debugEnabled = log.isDebugEnabled();; debugEnabled =
> log.isDebugEnabled()) {
> ...
> String method = null;
> for (; currentMethod < clientMethods.size(); currentMethod++) {
> method = clientMethods.get(currentMethod); // Always selects the
> 0th client method when the previous authentication method was "partially
> successful"
> if (serverMethods.contains(method)) {
> break;
> }
> }
> ...
> }
> } {code}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
