[
https://issues.apache.org/jira/browse/SSHD-1229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Thomas Wolf updated SSHD-1229:
------------------------------
External issue URL: https://github.com/apache/mina-sshd/issues/533
> Infinite clientMethods iteration in ClientUserAuthService
> ---------------------------------------------------------
>
> Key: SSHD-1229
> URL: https://issues.apache.org/jira/browse/SSHD-1229
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 2.7.0
> Reporter: Sergey Panov
> Priority: Major
>
> Hello,
>
> I've come across that the
> org.apache.sshd.client.session.ClientUserAuthService#clientMethods list could
> be iterated over and over again until a client terminates connection. This
> happens when a server requires two-factor authentication. Despite RFC 4252
> [Page 5] ([https://www.ietf.org/rfc/rfc4252.txt)] recommends the server
> returning only authentication methods that have not been successfully
> completed, some implementations ignore this. If the authentication is
> partially successful, but the server returns the same list of authentication
> methods, the 0th client authentication method will be used repeatedly.
> {code:java}
> protected void processUserAuth(Buffer buffer) throws Exception {
> ...
> if (cmd == SshConstants.SSH_MSG_USERAUTH_FAILURE) {
> String mths = buffer.getString();
> boolean partial = buffer.getBoolean();
> if (log.isDebugEnabled()) {
> log.debug("processUserAuth({}) Received
> SSH_MSG_USERAUTH_FAILURE - partial={}, methods={}",
> session, partial, mths);
> }
> if (partial || (serverMethods == null)) {
> serverMethods = Arrays.asList(GenericUtils.split(mths, ','));
> // If a server is always returning the same list of methods, the "next"
> client method in clientMethods will be on index 0
> currentMethod = 0;
> if (userAuth != null) {
> try {
> try {
> userAuth.signalAuthMethodFailure(
> session, service, partial,
> Collections.unmodifiableList(serverMethods), buffer);
> } finally {
> userAuth.destroy();
> }
> } finally {
> userAuth = null;
> }
> }
> } tryNext(cmd);
> return;
> }
> ...
> }{code}
>
> {code:java}
> protected void tryNext(int cmd) throws Exception {
> ClientSession session = getClientSession();
> // Loop until we find something to try
> for (boolean debugEnabled = log.isDebugEnabled();; debugEnabled =
> log.isDebugEnabled()) {
> ...
> String method = null;
> for (; currentMethod < clientMethods.size(); currentMethod++) {
> method = clientMethods.get(currentMethod); // Always selects the
> 0th client method when the previous authentication method was "partially
> successful"
> if (serverMethods.contains(method)) {
> break;
> }
> }
> ...
> }
> } {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org
