[jira] [Created] (WAGON-564) ssh connection failure since 'preferredAuthentications' is ignored if 'password' is missing

Thu, 25 Jul 2019 06:01:01 -0700 

Lucian Burja created WAGON-564:
----------------------------------

             Summary: ssh connection failure since 'preferredAuthentications' 
is ignored if 'password' is missing
                 Key: WAGON-564
                 URL: https://issues.apache.org/jira/browse/WAGON-564
             Project: Maven Wagon
          Issue Type: Bug
          Components: wagon-ssh
    Affects Versions: 3.3.3
            Reporter: Lucian Burja


I am trying to upload a file via SSH, using the {{wagon-maven-plugin}} plugin, 
to a Linux server that is integrated with Kerberos. Although I provide a valid 
{{privateKey}}, and I set 
{{<preferredAuthentications>publickey</preferredAuthentications>,}} the 
Kerberos authentication is always triggered.

While investigating, I have found the following root cause:

In settings.xml, for a {{<server>}} you can decide to use SSH certificate based 
authentication instead of username/password:
{code:java}
<server>
   <id>myserver</id>
   <username>bamboo</username>
   <privateKey>...path to the file...</privateKey>

   <configuration>
      <preferredAuthentications>publickey</preferredAuthentications>      
   </configuration>
</server>
{code}
According to the documentation, this authentication option only works if you 
omit the {{password}} element, otherwise {{privateKey}} is ignored.

 

However, if {{password}} is omitted, then {{preferredAuthentications}} is 
ignored, as can be seen in {{AbstractJschWagon.java :: openConnectionInternal  
(line 254)}}
{code:java}
if ( authenticationInfo.getPassword() != null )
{
    config.setProperty( "PreferredAuthentications", preferredAuthentications );
}
{code}
 

Thus, in practice, if you use {{privateKey}} based authentication, you cannot 
control the {{PreferredAuthentications}} parameter, and the default value is 
used: {{gssapi-with-mic,publickey,password,keyboard-interactive}}. This 
triggers Kerberos based authentication as the first option.

A simple patch to solve this issue is to add to the lines above an else branch, 
like this:
{code:java}
        if ( authenticationInfo.getPassword() != null )
        {
            config.setProperty( "PreferredAuthentications", 
preferredAuthentications );
        }
        else if ( 
!"gssapi-with-mic,publickey,password,keyboard-interactive".equals( 
preferredAuthentications ) )
        {
            // if different then the default, always set
            config.setProperty( "PreferredAuthentications", 
preferredAuthentications );
        }
{code}
 or to remove the the surrounding if-statement all-together 



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to