[jira] [Updated] (WAGON-564) ssh connection failure since 'preferredAuthentications' is ignored if 'password' is missing

Lucian Burja (JIRA) Thu, 25 Jul 2019 07:19:11 -0700


     [ 
https://issues.apache.org/jira/browse/WAGON-564?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Lucian Burja updated WAGON-564:
-------------------------------
    Description: 
I am trying to upload a file via SSH with private key authentication, using the 
{{wagon-maven-plugin}} plugin. The Linux server that is also integrated with 
Kerberos (which I don't use).

Although I provide a valid {{privateKey}}, and I set 
{{<preferredAuthentications>publickey</preferredAuthentications>,}} the 
Kerberos authentication is always triggered.

While investigating, I have found the following root cause:

In settings.xml, for a {{<server>}} you can decide to use SSH key based 
authentication instead of username/password:
{code:java}
<server>
   <id>myserver</id>
   <username>bamboo</username>
   <privateKey>...path to the file...</privateKey>

   <configuration>
      <preferredAuthentications>publickey</preferredAuthentications>      
   </configuration>
</server>
{code}
According to the documentation, this authentication option only works if you 
omit the {{password}} element, otherwise {{privateKey}} is ignored.

However, if {{password}} is omitted, then {{preferredAuthentications}} is 
ignored, as can be seen in {{AbstractJschWagon.java :: openConnectionInternal  
(line 254)}}
{code:java}
if ( authenticationInfo.getPassword() != null )
{
    config.setProperty( "PreferredAuthentications", preferredAuthentications );
}
{code}
 

Thus, in practice, if you use {{privateKey}} based authentication, you cannot 
control the {{PreferredAuthentications}} parameter, and the default value is 
used: {{gssapi-with-mic,publickey,password,keyboard-interactive}}. This 
triggers Kerberos based authentication as the first option.

A simple patch to solve this issue is to add to the lines above an else branch, 
like this:
{code:java}
        if ( authenticationInfo.getPassword() != null )
        {
            config.setProperty( "PreferredAuthentications", 
preferredAuthentications );
        }
        else if ( 
!"gssapi-with-mic,publickey,password,keyboard-interactive".equals( 
preferredAuthentications ) )
        {
            // if different then the default, always set
            config.setProperty( "PreferredAuthentications", 
preferredAuthentications );
        }
{code}
 or to remove the the surrounding if-statement all-together 

  was:
I am trying to upload a file via SSH, using the {{wagon-maven-plugin}} plugin, 
to a Linux server that is integrated with Kerberos. Although I provide a valid 
{{privateKey}}, and I set 
{{<preferredAuthentications>publickey</preferredAuthentications>,}} the 
Kerberos authentication is always triggered.

While investigating, I have found the following root cause:

In settings.xml, for a {{<server>}} you can decide to use SSH certificate based 
authentication instead of username/password:
{code:java}
<server>
   <id>myserver</id>
   <username>bamboo</username>
   <privateKey>...path to the file...</privateKey>

   <configuration>
      <preferredAuthentications>publickey</preferredAuthentications>      
   </configuration>
</server>
{code}
According to the documentation, this authentication option only works if you 
omit the {{password}} element, otherwise {{privateKey}} is ignored.

 

However, if {{password}} is omitted, then {{preferredAuthentications}} is 
ignored, as can be seen in {{AbstractJschWagon.java :: openConnectionInternal  
(line 254)}}
{code:java}
if ( authenticationInfo.getPassword() != null )
{
    config.setProperty( "PreferredAuthentications", preferredAuthentications );
}
{code}
 

Thus, in practice, if you use {{privateKey}} based authentication, you cannot 
control the {{PreferredAuthentications}} parameter, and the default value is 
used: {{gssapi-with-mic,publickey,password,keyboard-interactive}}. This 
triggers Kerberos based authentication as the first option.

A simple patch to solve this issue is to add to the lines above an else branch, 
like this:
{code:java}
        if ( authenticationInfo.getPassword() != null )
        {
            config.setProperty( "PreferredAuthentications", 
preferredAuthentications );
        }
        else if ( 
!"gssapi-with-mic,publickey,password,keyboard-interactive".equals( 
preferredAuthentications ) )
        {
            // if different then the default, always set
            config.setProperty( "PreferredAuthentications", 
preferredAuthentications );
        }
{code}
 or to remove the the surrounding if-statement all-together 


> ssh connection failure since 'preferredAuthentications' is ignored if 
> 'password' is missing
> -------------------------------------------------------------------------------------------
>
>                 Key: WAGON-564
>                 URL: https://issues.apache.org/jira/browse/WAGON-564
>             Project: Maven Wagon
>          Issue Type: Bug
>          Components: wagon-ssh
>    Affects Versions: 3.3.3
>            Reporter: Lucian Burja
>            Priority: Major
>
> I am trying to upload a file via SSH with private key authentication, using 
> the {{wagon-maven-plugin}} plugin. The Linux server that is also integrated 
> with Kerberos (which I don't use).
> Although I provide a valid {{privateKey}}, and I set 
> {{<preferredAuthentications>publickey</preferredAuthentications>,}} the 
> Kerberos authentication is always triggered.
> While investigating, I have found the following root cause:
> In settings.xml, for a {{<server>}} you can decide to use SSH key based 
> authentication instead of username/password:
> {code:java}
> <server>
>    <id>myserver</id>
>    <username>bamboo</username>
>    <privateKey>...path to the file...</privateKey>
>    <configuration>
>       <preferredAuthentications>publickey</preferredAuthentications>      
>    </configuration>
> </server>
> {code}
> According to the documentation, this authentication option only works if you 
> omit the {{password}} element, otherwise {{privateKey}} is ignored.
> However, if {{password}} is omitted, then {{preferredAuthentications}} is 
> ignored, as can be seen in {{AbstractJschWagon.java :: openConnectionInternal 
>  (line 254)}}
> {code:java}
> if ( authenticationInfo.getPassword() != null )
> {
>     config.setProperty( "PreferredAuthentications", preferredAuthentications 
> );
> }
> {code}
>  
> Thus, in practice, if you use {{privateKey}} based authentication, you cannot 
> control the {{PreferredAuthentications}} parameter, and the default value is 
> used: {{gssapi-with-mic,publickey,password,keyboard-interactive}}. This 
> triggers Kerberos based authentication as the first option.
> A simple patch to solve this issue is to add to the lines above an else 
> branch, like this:
> {code:java}
>         if ( authenticationInfo.getPassword() != null )
>         {
>             config.setProperty( "PreferredAuthentications", 
> preferredAuthentications );
>         }
>         else if ( 
> !"gssapi-with-mic,publickey,password,keyboard-interactive".equals( 
> preferredAuthentications ) )
>         {
>             // if different then the default, always set
>             config.setProperty( "PreferredAuthentications", 
> preferredAuthentications );
>         }
> {code}
>  or to remove the the surrounding if-statement all-together 



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

[jira] [Updated] (WAGON-564) ssh connection failure since 'preferredAuthentications' is ignored if 'password' is missing

Reply via email to