[ANNOUNCE] Apache MINA SSHD 2.12.0 released
The Apache Mina PMC is proud to announce the release of Mina SSHD 2.12.0. This new minor release provides a bunch of bug enhancements and bug fixes, see the details at: https://github.com/apache/mina-sshd/releases/tag/sshd-2.12.0 The release is available for download at https://mina.apache.org/sshd-project/download_2.12.0.html # Introduced in 2.12.0 ## Bug Fixes * GH-428/GH-392 SCP client fails silently when error signalled due to missing file or lacking permissions * GH-434 Ignore unknown key types from agent or in OpenSSH host keys extension ## New Features * GH-429 Support GIT protocol-v2 * GH-445 OpenSSH "strict key exchange" protocol extension (CVE-2023-48795 mitigation) # Behavioral changes and enhancements ## New ScpTransferEventListener callback method Following GH-428/GH-392 a new handleReceiveCommandAckInfo method has been added to enable users to inspect acknowledgements of a receive related command. The user is free to inspect the command that was attempted as well as the response code and decide how to handle it - including even throwing an exception if OK status (if this makes sense for whatever reason). The default implementation checks for ERROR code and throws an exception if so. ## OpenSSH protocol extension: strict key exchange GH-445 implements an extension to the SSH protocol introduced in OpenSSH 9.6. This "strict key exchange" extension hardens the SSH key exchange against the "Terrapin attack" (CVE-2023-48795). The extension is active if both parties announce their support for it at the start of the initial key exchange. If only one party announces support, it is not activated to ensure compatibility with SSH implementations that do not implement it. Apache MINA sshd clients and servers always announce their support for strict key exchange. On behalf of the Maven Mina PMC team, Guillaume Nodet - To unsubscribe, e-mail: users-unsubscr...@mina.apache.org For additional commands, e-mail: users-h...@mina.apache.org
Re: Implementing a 'filesystem' module in MINA to bridge with an Apache commons-net FTPClient
Maybe I misunderstand something, but Mina SSHD *provides* a FileSystemFactory that completely supports SFTP. Why would you want to re-implement it ? See https://github.com/apache/mina-sshd/blob/master/docs/sftp.md#using-sftpfilesystemprovider-to-create-an-sftpfilesystem Guillaume Le jeu. 7 déc. 2023 à 21:00, Soderberg, Will < will.soderb...@gehealthcare.com> a écrit : > Hello, > > Haven't had much luck finding answers on stackoverflow etc so trying here. > > I'm working on a project which uses both Apache MINA and Apache > commons-net FTPClient to create a protocol adapter that provides an SFTP > wrapper to access FTP servers (which cannot be upgraded to SFTP for complex > reasons). > > I've been able to get authentication and file transfer working by > hardcoding the paths, but what I'm struggling with is file+folder listing. > FTPClient has a very simple API for this, but MINA seems to require an > extremely sophisticated implementation of java.nio.file.FileSystem, > FileSystemFactory, Path, etc to make this work. I was hoping that > implementing SftpFileSystemAccessor.openDirectory would be enough, but when > setting breakpoints I'm not seeing that method be called in the way I would > expect for it to be the solution. > > Am I overthinking this? Which approach is correct for what I'm looking to > do? I can't provide a very complete implementation of FileSystem due to > the limitations of FTP, but it seems like MINA only really uses a few > methods from it anyway. > > > Thank you > Will > -- Guillaume Nodet
[ANNOUNCE] Apache MINA SSHD 2.11.0 released
evicted from the pool. Properties to configure these pool parameters have been added to `SftpModuleProperties`. On behalf of the Apache MINA project, Guillaume Nodet
[ANNOUNCE] Apache MINA SSHD 2.9.3 released
The Apache Mina PMC is proud to announce the release of Mina SSHD 2.9.3. This is a bug fix release, see the details at: https://github.com/apache/mina-sshd/releases/tag/sshd-2.9.3 The release is available for download at https://mina.apache.org/sshd-project/download_2.9.3.html Changelog: * CVE-2023-35887 / SSHD-1324 Rooted file system can leak informations * Fix reproducible builds issue * Support building with Maven 3.9.x On behalf of the Apache MINA project, Guillaume Nodet
CVE-2023-35887: Apache MINA SSHD: Information disclosure bugs with RootedFilesystem
Affected versions: - Apache MINA SSHD 1.0 before 2.10 Description: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA. In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover "exists/does not exist" information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks. This issue affects Apache MINA: from 1.0 before 2.10. Thanks to Andrew Pikler for discovering the issue and helping to fix it. This issue is being tracked as SSHD-1324 References: https://mina.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-35887 https://issues.apache.org/jira/browse/SSHD-1324 - To unsubscribe, e-mail: users-unsubscr...@mina.apache.org For additional commands, e-mail: users-h...@mina.apache.org
Re: symbolicy links errors
Please raise a JIRA issue. This seems to have been overlooked. Le jeu. 2 mars 2023 à 11:26, Simon IJskes - QCG a écrit : > Hi, > > i'm using the SftpFileSystemProvider to implement a simple rsync. > > When i use Files.delete( Path ) on a symbolic link there are some > problems i havent managed to fix. > > When the symlink points to a non-existant file, i get an exception while > reading its attributes. > > When the symlink points to a directory, i get an exception in the order > of file not found. > > I've done some tracing and debugging, and it looks like the client does > follow the symlink, this should not be the case, > > From: Package java.nio.file, Symbolic Links > > "For the most part, symbolic links are transparent to applications and > operations on symbolic links are automatically redirected to the target > of the link. Exceptions to this are when a symbolic link is deleted or > renamed/moved in which case the link is deleted or removed rather than > the target of the link." > > Is this a known bug or design choice, or does this merit a more complete > bugreport? > > Gr. Simon > > - > To unsubscribe, e-mail: users-unsubscr...@mina.apache.org > For additional commands, e-mail: users-h...@mina.apache.org > > -- Guillaume Nodet
CVE-2021-30129: DoS/OOM leak vulnerability in Apache Mina SSHD Server
Description: A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions. It was addressed in Apache Mina SSHD 2.7.0 This issue is being tracked as SSHD-1125 - To unsubscribe, e-mail: users-unsubscr...@mina.apache.org For additional commands, e-mail: users-h...@mina.apache.org
Re: [ANNOUNCE] Apache SSHD 2.7.0 released
Mina SSHD supports SSH2 and there's no plan to support SSH1. Cheers Guillaume Nodet P.S.: Please do not cross-post to several lists... Le lun. 31 mai 2021 à 11:32, Vishnu Priya a écrit : > Does this support SSH version 1 and version 2 both? > > Regards, > Vishnupriya > > On Mon, 31 May 2021 at 2:52 PM, Guillaume Nodet wrote: > > > The Apache Mina team is pleased to announce the release of SSHD 2.7.0 > > version. > > > > Apache SSHD is a 100% pure java library to support the SSH protocols on > > both the client and server side. This library can leverage NIO2, Apache > > MINA and > > also Netty - scalable and high performance asynchronous IO libraries. > SSHD > > does not really aim at being a replacement for the SSH client or SSH > server > > from Unix operating systems, but rather provides support for Java based > > applications requiring SSH support. > > > > The major issues addressed in this release are: > > > > ** Bug > > * [SSHD-] - wrong command line interpretation > > * [SSHD-1123] - ChannelAsyncOutputStream breaks downloads of sftp > > client by not chunking when the remote window is smaller than the packet > > size > > * [SSHD-1125] - Provide a boundary on BufferedIoOutputStream writing > to > > avoid memory overflow > > * [SSHD-1136] - Diffie Hellmann group exchange falls back to insecure > > DHG1 if agreement on modulo size is not possible > > * [SSHD-1137] - IOException for unsupported NOFOLLOW_LINKS on AIX > when > > accessing with OpenSSH SFTP client > > * [SSHD-1146] - Missing Import-Package header in sshd-osgi-2.6.0 > > * [SSHD-1154] - userauth_pubkey: unsupported public key algorithm: > > rsa-sha2-512 > > * [SSHD-1158] - Channel closed by peer: extra SSH_MSG_CHANNEL_EOF > sent > > > > > > ** New Feature > > * [SSHD-1097] - Provide an 'endlessh' tarpit capability > > > > > > ** Improvement > > * [SSHD-525] - Add support for "posix-ren...@openssh.com" SFTP > > extension > > * [SSHD-1083] - The nio2 connector/acceptor implementation should not > > be tied to the FactoryManager > > * [SSHD-1105] - Use all possible signatures for a public key type in > > public key authentication > > * [SSHD-1109] - Replace log4j with logback as the slf4j logger > > implementation for tests > > * [SSHD-1114] - Add client-side detailed authentication progress > > callbacks > > * [SSHD-1116] - Provide session context to the various XXXProvider(s) > > * [SSHD-1132] - Add support for SFTP "filename-charset" extension > > * [SSHD-1133] - Provide non-UTF8 charset encoding capability to SCP > > implementation > > * [SSHD-1141] - Implement server-sig-algs > > * [SSHD-1145] - EdDSASecurityProviderRegistrar#isSupported() should > > check more classloaders > > > > > > ** Wish > > * [SSHD-1147] - SftpClient is not able to download file from > > proprietory SFTP servers (IBM) with a one time download policy > > > > The distributions are available from the Apache Software Foundation > > distribution mirrors http://mina.apache.org/sshd-project/downloads.html > > and > > from maven central. > > > > On behalf of the Apache Mina team, > > Guillaume Nodet > > > -- > Regards, Vishnupriya R Engineer Hewlett Packard Enterprise > -- Guillaume Nodet
[ANNOUNCE] Apache SSHD 2.7.0 released
The Apache Mina team is pleased to announce the release of SSHD 2.7.0 version. Apache SSHD is a 100% pure java library to support the SSH protocols on both the client and server side. This library can leverage NIO2, Apache MINA and also Netty - scalable and high performance asynchronous IO libraries. SSHD does not really aim at being a replacement for the SSH client or SSH server from Unix operating systems, but rather provides support for Java based applications requiring SSH support. The major issues addressed in this release are: ** Bug * [SSHD-] - wrong command line interpretation * [SSHD-1123] - ChannelAsyncOutputStream breaks downloads of sftp client by not chunking when the remote window is smaller than the packet size * [SSHD-1125] - Provide a boundary on BufferedIoOutputStream writing to avoid memory overflow * [SSHD-1136] - Diffie Hellmann group exchange falls back to insecure DHG1 if agreement on modulo size is not possible * [SSHD-1137] - IOException for unsupported NOFOLLOW_LINKS on AIX when accessing with OpenSSH SFTP client * [SSHD-1146] - Missing Import-Package header in sshd-osgi-2.6.0 * [SSHD-1154] - userauth_pubkey: unsupported public key algorithm: rsa-sha2-512 * [SSHD-1158] - Channel closed by peer: extra SSH_MSG_CHANNEL_EOF sent ** New Feature * [SSHD-1097] - Provide an 'endlessh' tarpit capability ** Improvement * [SSHD-525] - Add support for "posix-ren...@openssh.com" SFTP extension * [SSHD-1083] - The nio2 connector/acceptor implementation should not be tied to the FactoryManager * [SSHD-1105] - Use all possible signatures for a public key type in public key authentication * [SSHD-1109] - Replace log4j with logback as the slf4j logger implementation for tests * [SSHD-1114] - Add client-side detailed authentication progress callbacks * [SSHD-1116] - Provide session context to the various XXXProvider(s) * [SSHD-1132] - Add support for SFTP "filename-charset" extension * [SSHD-1133] - Provide non-UTF8 charset encoding capability to SCP implementation * [SSHD-1141] - Implement server-sig-algs * [SSHD-1145] - EdDSASecurityProviderRegistrar#isSupported() should check more classloaders ** Wish * [SSHD-1147] - SftpClient is not able to download file from proprietory SFTP servers (IBM) with a one time download policy The distributions are available from the Apache Software Foundation distribution mirrors http://mina.apache.org/sshd-project/downloads.html and from maven central. On behalf of the Apache Mina team, Guillaume Nodet
Re: DirectoryScanner and have connection with sftpclient still I am getting base dir doesn’t exist error.
First, please don't cross-post to dev@ and @users. Then, if you are looking for some help, provide some more information about what you're doing exactly and the exact errors you get. Just saying it does not work without even explaining in detail what you're doing is just useless. And last, if you're not familiar with the NIO api, first do what you need to do on the local file system, once it works, try with the SFTP file system. And only in such case, send an email with details. We're not here to provide support on the JDK API, there are tons of information that you can find using any search engine. Le mar. 22 sept. 2020 à 14:29, Leshika Sahu 6A a écrit : > Hello Team, > > I am DirectoryScanner and have connection with sftpclient still I am > getting base dir doesn’t exist error. > And not able to get dir list from remote server. > Can you please let me know how can I get dir list using DirectoryScanner > with Sftpclient. > -- > Thanks & Regards, > Netram Sahu > +91 9653330834 > -- Guillaume Nodet
Re: Reminde: How to use ls command with SftpClient Apache library
Have you used the Java NIO glob api as indicated in this example https://javapapers.com/java/glob-with-java-nio/ ? Le mar. 22 sept. 2020 à 00:12, Leshika Sahu 6A a écrit : > Hello GUillaume, > > This didn’t work for path > > home/ns75140/log* > home/ns75140/log? > > > On Mon, Sep 21, 2020 at 11:44 AM Guillaume Nodet > wrote: > >> You'll find an example of using the Sftp Client API in the following test: >> >> >> https://github.com/apache/mina-sshd/blob/master/sshd-sftp/src/test/java/org/apache/sshd/sftp/client/SftpTransferTest.java >> >> Le lun. 21 sept. 2020 à 03:22, Leshika Sahu 6A a >> écrit : >> >>> Hello Team, >>> >>> I am passing this url from application and based on this url I want to >>> get all file from this path. >>> >>> dir/dir1*/ >>> dir/dir1? >>> >>> So Can you please give me example ASAP. >>> >>> >>> On Sun, Sep 20, 2020 at 8:02 AM Leshika Sahu 6A >>> wrote: >>> >>>> Hello Guillaume, >>>> Thanks for your response. >>>> >>>> I am using remote server. >>>> >>>> So please let me know how can I use ls command to fetch file using >>>> sftpclinet. >>>> >>>> Please give me some example ASAP >>>> >>>> >>>> On Sat, Sep 19, 2020 at 8:17 PM Leshika Sahu 6A >>>> wrote: >>>> >>>>> I am passing this url from application and based on these url want to >>>>> Remove Text.txt file. >>>>> >>>>> dir/dir1*/Test.txt, >>>>> dir/dir1?/Test.txt >>>>> >>>>> How can I do it with Sftpfilesyatem, >>>>> >>>>> Can you please give me example. >>>>> >>>>> >>>>> On Sat, Sep 19, 2020 at 3:24 PM Guillaume Nodet >>>>> wrote: >>>>> >>>>>> You can use the Sftp FileSystem so you can use the standard Path api >>>>>> from the JDK. >>>>>> >>>>>> Le sam. 19 sept. 2020 à 08:58, Leshika Sahu 6A >>>>>> a écrit : >>>>>> >>>>>>> I didn’t get answer for this issue >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Hello Team, >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> I want to use Apache library for ls Unix command. >>>>>>> >>>>>>> >>>>>>> Means same list I want to get using Apache library. >>>>>>> >>>>>>> >>>>>>> So can lease advice. >>>>>>> >>>>>>> >>>>>>> How to use ls command with SftpClient Apache library. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> I want to use Apache library >>>>>>> >>>>>>> >>>>>>> For matching pattern below: >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> dir/dir1*/Test.txt >>>>>>> >>>>>>> >>>>>>> dir/dir1?/Test.txt >>>>>>> >>>>>>> >>>>>>> dir/* >>>>>>> >>>>>>> >>>>>>> * >>>>>>> >>>>>>> >>>>>>> *.* >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Fri, Sep 18, 2020 at 3:14 PM Leshika Sahu 6A < >>>>>>> netram.s...@gmail.com> >>>>>>> >>>>>>> >>>>>>> wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> > Hello Team, >>>>>>> >>>>>>> >>>>>>> > >>>>>>> >>>>>>> >>>>>>> > I want to use Apache library for ls Unix command. >>>>>>> >>>>>>> >>>>>>> > Means same list I want to get using Apache library. >>>>>>> >>>>>>> >>>>>>> > So can lease advice. >>>>>>> >>>>>>> >>>>>>> > How to use ls command with SftpClient Apache library. >>>>>>> >>>>>>> >>>>>>> > >>>>>>> >>>>>>> >>>>>>> > >>>>>>> >>>>>>> >>>>>>> > I want to use Apache library >>>>>>> >>>>>>> >>>>>>> > For matching pattern below: >>>>>>> >>>>>>> >>>>>>> > >>>>>>> >>>>>>> >>>>>>> > dir/dir1*/Test.txt >>>>>>> >>>>>>> >>>>>>> > dir/dir1?/Test.txt >>>>>>> >>>>>>> >>>>>>> > dir/* >>>>>>> >>>>>>> >>>>>>> > * >>>>>>> >>>>>>> >>>>>>> > *.* >>>>>>> >>>>>>> >>>>>>> > >>>>>>> >>>>>>> >>>>>>> > Regards >>>>>>> >>>>>>> >>>>>>> > Netram Sahu >>>>>>> >>>>>>> >>>>>>> > >>>>>>> >>>>>>> >>>>>>> > -- >>>>>>> >>>>>>> >>>>>>> > Thanks & Regards, >>>>>>> >>>>>>> >>>>>>> > Netram Sahu >>>>>>> >>>>>>> >>>>>>> > +91 9653330834 >>>>>>> >>>>>>> >>>>>>> > >>>>>>> >>>>>>> >>>>>>> > >>>>>>> >>>>>>> >>>>>>> > >>>>>>> >>>>>>> >>>>>>> > >>>>>>> >>>>>>> >>>>>>> > >>>>>>> >>>>>>> >>>>>>> > -- >>>>>>> >>>>>>> >>>>>>> Thanks & Regards, >>>>>>> >>>>>>> >>>>>>> Netram Sahu >>>>>>> >>>>>>> >>>>>>> +91 9653330834 >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>> Thanks & Regards, >>>>> Netram Sahu >>>>> +91 9653330834 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>> Thanks & Regards, >>>> Netram Sahu >>>> +91 9653330834 >>>> >>>> >>>> >>>> >>>> >>>> -- >>> Thanks & Regards, >>> Netram Sahu >>> +91 9653330834 >>> >>> >>> >>> >>> >>> >> >> -- >> >> Guillaume Nodet >> >> >> >> -- > Thanks & Regards, > Netram Sahu > +91 9653330834 > > > > -- Guillaume Nodet
Re: Reminde: How to use ls command with SftpClient Apache library
You'll find an example of using the Sftp Client API in the following test: https://github.com/apache/mina-sshd/blob/master/sshd-sftp/src/test/java/org/apache/sshd/sftp/client/SftpTransferTest.java Le lun. 21 sept. 2020 à 03:22, Leshika Sahu 6A a écrit : > Hello Team, > > I am passing this url from application and based on this url I want to get > all file from this path. > > dir/dir1*/ > dir/dir1? > > So Can you please give me example ASAP. > > > On Sun, Sep 20, 2020 at 8:02 AM Leshika Sahu 6A > wrote: > >> Hello Guillaume, >> Thanks for your response. >> >> I am using remote server. >> >> So please let me know how can I use ls command to fetch file using >> sftpclinet. >> >> Please give me some example ASAP >> >> >> On Sat, Sep 19, 2020 at 8:17 PM Leshika Sahu 6A >> wrote: >> >>> I am passing this url from application and based on these url want to >>> Remove Text.txt file. >>> >>> dir/dir1*/Test.txt, >>> dir/dir1?/Test.txt >>> >>> How can I do it with Sftpfilesyatem, >>> >>> Can you please give me example. >>> >>> >>> On Sat, Sep 19, 2020 at 3:24 PM Guillaume Nodet >>> wrote: >>> >>>> You can use the Sftp FileSystem so you can use the standard Path api >>>> from the JDK. >>>> >>>> Le sam. 19 sept. 2020 à 08:58, Leshika Sahu 6A >>>> a écrit : >>>> >>>>> I didn’t get answer for this issue >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Hello Team, >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> I want to use Apache library for ls Unix command. >>>>> >>>>> >>>>> Means same list I want to get using Apache library. >>>>> >>>>> >>>>> So can lease advice. >>>>> >>>>> >>>>> How to use ls command with SftpClient Apache library. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> I want to use Apache library >>>>> >>>>> >>>>> For matching pattern below: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> dir/dir1*/Test.txt >>>>> >>>>> >>>>> dir/dir1?/Test.txt >>>>> >>>>> >>>>> dir/* >>>>> >>>>> >>>>> * >>>>> >>>>> >>>>> *.* >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Fri, Sep 18, 2020 at 3:14 PM Leshika Sahu 6A >>>> > >>>>> >>>>> >>>>> wrote: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> > Hello Team, >>>>> >>>>> >>>>> > >>>>> >>>>> >>>>> > I want to use Apache library for ls Unix command. >>>>> >>>>> >>>>> > Means same list I want to get using Apache library. >>>>> >>>>> >>>>> > So can lease advice. >>>>> >>>>> >>>>> > How to use ls command with SftpClient Apache library. >>>>> >>>>> >>>>> > >>>>> >>>>> >>>>> > >>>>> >>>>> >>>>> > I want to use Apache library >>>>> >>>>> >>>>> > For matching pattern below: >>>>> >>>>> >>>>> > >>>>> >>>>> >>>>> > dir/dir1*/Test.txt >>>>> >>>>> >>>>> > dir/dir1?/Test.txt >>>>> >>>>> >>>>> > dir/* >>>>> >>>>> >>>>> > * >>>>> >>>>> >>>>> > *.* >>>>> >>>>> >>>>> > >>>>> >>>>> >>>>> > Regards >>>>> >>>>> >>>>> > Netram Sahu >>>>> >>>>> >>>>> > >>>>> >>>>> >>>>> > -- >>>>> >>>>> >>>>> > Thanks & Regards, >>>>> >>>>> >>>>> > Netram Sahu >>>>> >>>>> >>>>> > +91 9653330834 >>>>> >>>>> >>>>> > >>>>> >>>>> >>>>> > >>>>> >>>>> >>>>> > >>>>> >>>>> >>>>> > >>>>> >>>>> >>>>> > >>>>> >>>>> >>>>> > -- >>>>> >>>>> >>>>> Thanks & Regards, >>>>> >>>>> >>>>> Netram Sahu >>>>> >>>>> >>>>> +91 9653330834 >>>>> >>>>> >>>>> >>>> >>>> -- >>> Thanks & Regards, >>> Netram Sahu >>> +91 9653330834 >>> >>> >>> >>> >>> >>> -- >> Thanks & Regards, >> Netram Sahu >> +91 9653330834 >> >> >> >> >> >> -- > Thanks & Regards, > Netram Sahu > +91 9653330834 > > > > -- Guillaume Nodet
[ANNOUNCE] Apache SSHD 2.5.1 released
The Apache Mina team is pleased to announce the release of SSHD 2.5.1 version. Apache SSHD is a 100% pure java library to support the SSH protocols on both the client and server side. This library can leverage NIO2, Apache MINA and also Netty - scalable and high performance asynchronous IO libraries. SSHD does not really aim at being a replacement for the SSH client or SSH server from Unix operating systems, but rather provides support for Java based applications requiring SSH support. This version is a bug fix release for this issue: - [SSHD-1022 <https://issues.apache.org/jira/browse/SSHD-1022>] - NPE in SftpOutputStreamAsync.flush() The distributions are available from the Apache Software Foundation distribution mirrors http://mina.apache.org/sshd-project/downloads.html and from maven central. On behalf of the Apache Mina team, Guillaume Nodet
[ANNOUNCE] Apache SSHD 2.5.0 released
The Apache Mina team is pleased to announce the release of SSHD 2.5.0 version. Apache SSHD is a 100% pure java library to support the SSH protocols on both the client and server side. This library can leverage NIO2, Apache MINA and also Netty - scalable and high performance asynchronous IO libraries. SSHD does not really aim at being a replacement for the SSH client or SSH server from Unix operating systems, but rather provides support for Java based applications requiring SSH support. The major issues addressed in this release are:New Feature - - [SSHD-979 <https://issues.apache.org/jira/browse/SSHD-979>] - Rework SFTP streams so that we can send or receive as much data as possible [SSHD-972 <https://issues.apache.org/jira/browse/SSHD-972>] - Add support for peers using OpenSSH "security key" key types - [SSHD-984 <https://issues.apache.org/jira/browse/SSHD-984>] - Utility method to export KeyPair in OpenSSH format - [SSHD-986 <https://issues.apache.org/jira/browse/SSHD-986>] - Implement ECDSA public key recovery - [SSHD-1003 <https://issues.apache.org/jira/browse/SSHD-1003>] - Use asynchronous streams when forwarding ports - [SSHD-1009 <https://issues.apache.org/jira/browse/SSHD-1009>] - Support WinSCP shell interactions Improvement - [SSHD-660 <https://issues.apache.org/jira/browse/SSHD-660>] - Add support for authentication using signed client/server keys - [SSHD-707 <https://issues.apache.org/jira/browse/SSHD-707>] - Add support for writing OpenSSH ed25519 private keys to file - [SSHD-968 <https://issues.apache.org/jira/browse/SSHD-968>] - SshClient times out during keep-alive, when SSH_MSG_GLOBAL_REQUEST is replied with SSH_MSG_UNSUPPORTED - [SSHD-977 <https://issues.apache.org/jira/browse/SSHD-977>] - Apply consistent logging policy to caught exceptions - [SSHD-980 <https://issues.apache.org/jira/browse/SSHD-980>] - Make the SFTP Api cleaner by moving the implementation classes into the non public package - [SSHD-992 <https://issues.apache.org/jira/browse/SSHD-992>] - Customizing sftp stat commands - [SSHD-978 <https://issues.apache.org/jira/browse/SSHD-978>] - Autoformat source code instead of using checkstyle Bug - [SSHD-964 <https://issues.apache.org/jira/browse/SSHD-964>] - SSH_MSG_CHANNEL_EOF never sent or received for local and remote port forwarding - [SSHD-967 <https://issues.apache.org/jira/browse/SSHD-967>] - transferTo function of SftpRemotePathChannel always add some extra bytes in the end of file - [SSHD-970 <https://issues.apache.org/jira/browse/SSHD-970>] - transferTo function of SftpRemotePathChannel will loop if count parameter is greater than file size - [SSHD-975 <https://issues.apache.org/jira/browse/SSHD-975>] - SshClient subclasses fail in OSGi environment - [SSHD-982 <https://issues.apache.org/jira/browse/SSHD-982>] - Race condition when loading known hosts - [SSHD-987 <https://issues.apache.org/jira/browse/SSHD-987>] - AESPrivateKeyObfuscator generates wrong IV length - [SSHD-998 <https://issues.apache.org/jira/browse/SSHD-998>] - respect SftpVersionSelector when establishing a new connection The distributions are available from the Apache Software Foundation distribution mirrors http://mina.apache.org/sshd-project/downloads.html and from maven central. On behalf of the Apache Mina team, Guillaume Nodet
Re: Mina Sshd, JGit, RSA Passphrases
Le mer. 8 janv. 2020 à 04:38, David Blevins a écrit : > Hello fine folks! > Hey David ! > > I've been looking into using Mina Sshd in some JGit code I have, working > under the assumption I can perhaps get some better passphrase support and > potentially get rid of Jsch. > > The docs are thin on what capabilities there are around password protected > keys. I've dug around the code a bit, but probably better to ask some high > level questions so I know what I'm looking at. > Yes, though the docs on the website should be removed and users pointed to the main git repo (see below) > - Are password protected RSA keys supported? (think that's a clear, yes) > Yes - Is there support for prompting a user for the passphrase via masked > input? (I didn't find any use of java.io.Console.readPassword) > Yes. The SshClient can be configured with a FilePasswordProvider using the setFilePasswordProvider method which is used to prompt the user for a password. See https://github.com/apache/mina-sshd/blob/master/docs/client-setup.md#clientidentityloaderkeypairprovider > - Is there any support for ssh-agents, eliminating the need for user > interaction or file storage of passphrases? (think that's a no, but > interested in any plans or pointers to previous discussion) > Yes, there's an SshAgent interface which can be set indirectly (through the SshAgentFactory) on the SshClient using the setAgentFactory method. There are 3 implementations: * LocalAgentFactory: creates or reuses an SshAgent in the JVM which can be configured using the addIdentity methods * UnixAgentFactory: communicates with the agent using the APR library using the *SSH_AUTH_SOCK* environment variable * ProxyAgentFactory: communicates with a remote agent when using agent forwarding > > I'm happy to create an FAQ of some kind for the website. Any pointers on > where I'd put the doc? > The website should point to the main git repo and the readme: https://github.com/apache/mina-sshd and the various doc bits in https://github.com/apache/mina-sshd/tree/master/docs An entry is clearly missing for agent support... Guillaume > > > -David > > > - > To unsubscribe, e-mail: users-unsubscr...@mina.apache.org > For additional commands, e-mail: users-h...@mina.apache.org > > -- Guillaume Nodet
[ANNOUNCE] Apache SSHD 2.1.0 released
The Apache SSHD project is pleased to announce the release of SSHD 2.1.0 version. Apache SSHD is a 100% pure java library to support the SSH protocols on both the client and server side. This library can leverage Apache MINA and also Netty - scalable and high performance asynchronous IO libraries. SSHD does not really aim at being a replacement for the SSH client or SSH server from Unix operating systems, but rather provides support for Java based applications requiring SSH support. A few backward incompatible changes have been made since the previous release, thus the version has been named 2.1 accordingly, in order to emphasize this fact. The major issues addressed in this release are: * In accordance with the policy of making the SSHD code less monolithic in nature, 2 new artifacts have been established: - sshd-common - contains common code that is used throughout the other artifacts - mainly SSH related definitions and support code that deals with keys, ciphers, fingerprints, etc.. - but no client or server code. The Maven dependencies have been updated accordingly, so users who declare a dependency on "sshd-core" (and other previous version artifacts) will automatically include the "sshd-common" artifact as well. - sshd-putty - ("spin off" from sshd-contrib) - contains the code necessary to use Putty key files for authentication. Users who previously used "sshd-contrib" Maven dependency for this purpose should replace it with "sshd-putty". * Fixed some issues related to port forwarding - mainly correctly un-binding the locally bound ports used for tunnels. * Fixed the ability to disable registering security providers using system property configuration. * Use Nio2ServiceFactoryFactory as the hardwired default if no other found or explicitly set. Users are encouraged to read the documentation available at https://github.com/apache/mina-sshd/ which has been updated to reflect the necessary code changes. Advisory notice regarding building the code from the released (ZIP/TAR.GZ) sources distribution: A minor issue has been discovered in this context for users who wish to build the artifacts from these distributions instead of the GIT repository. There are 2 "hostkey.ser" files that have been included by mistake - one in the "sshd-core" folder and the other in the"sshd-netty" one. These files are actually products of previous builds, and they interfere with the unit tests causing them to fail. Users who wish to build the project from the ZIP/TAR.GZ source distributions should delete the 2 aforementioned files before proceeding with the build. In this context it is important to emphasize: * The said problem affects the build process only when it is attempting to run the unit tests - the released production artifacts on Maven Central or the ones generated locally as a result of the build process are not affected in any way. * This issue does not affect in any way users who wish to build the artifacts from the GIT repository sources. * The "offending" files have been correctly excluded in the latest development master branch - so future releases should no longer suffer from this problem. We recommend all users to upgrade to this release - we consider this a stable and production ready release. On behalf of the Apache Mina team, Guillaume Nodet
Re: Different root and initial directories for SFTP
Ah, I see. It's currently not supported unfortunately : please raise a JIRA for that. In the mean time, you should derive the SftpSubsystem class and override the getDefaultDirectory method to return the Path you want for the given user. Guillaume 2018-05-24 21:00 GMT+02:00 Quinn Stevenson <qu...@pronoia-solutions.com>: > Yeah - I’ve tried that. What it does is set’s the root of the virtual > filesystem to a different spot for that user. So if I set the > defaultHomeDir to target/sftp and the userHomeDir for my test user to > target/sftp/home/user, the “root” of the virtual filesystem is > target/sftp/home/user. What I need is the root of the virtual filesystem > to be target/sftp, and the initial/login directory for the user to be > target/sftp/home/user. > > I think I need to set the “current directory” for the user when they > login, but I have no idea how to do that on the SSHD server. > > Hopefully that helps describe what I’m trying to do. > > > > On May 24, 2018, at 8:56 AM, Guillaume Nodet <gno...@apache.org> wrote: > > > > Have you tried setting home dirs for your users on the > VirtualFileSystemFactory > > ? > > > > vfsf.setUserHomeDir("the user", the_home_dir); > > > > 2018-05-24 15:49 GMT+02:00 Quinn Stevenson <qu...@pronoia-solutions.com > >: > > > >> I’m using Mina SSHD (1.7.0) as an embedded SFTP server for unit testing, > >> and I’ve come across an issue I can’t figure out. > >> > >> I’m looking for a way to set the initial directory in a virtual > filesystem > >> for a user when the login to the SFTP server. > >> > >> I’m simulating some systems that have not chroot-ed their SFTP users, so > >> the initial directory for the user is /home/username, but the users can > >> access the entire filesystem (I know - not a good idea, but I didn’t set > >> this up). > >> > >> My problem is that when I setup the SFTP sever using Mina SSHD with a > >> VirtualFileSystemFactory, the user is always placed in the “root” > directory > >> (i.e. / ) when they login. This makes is really hard for me to simulate > >> navigating the virtual filesystem in my tests because the paths are > >> different. > >> > >> Any ideas/suggestions would be greatly appreciated!! > >> > >> Quinn Stevenson > >> > >> > >> > > > > > > -- > > > > Guillaume Nodet > > -- Guillaume Nodet
Re: Different root and initial directories for SFTP
Have you tried setting home dirs for your users on the VirtualFileSystemFactory ? vfsf.setUserHomeDir("the user", the_home_dir); 2018-05-24 15:49 GMT+02:00 Quinn Stevenson <qu...@pronoia-solutions.com>: > I’m using Mina SSHD (1.7.0) as an embedded SFTP server for unit testing, > and I’ve come across an issue I can’t figure out. > > I’m looking for a way to set the initial directory in a virtual filesystem > for a user when the login to the SFTP server. > > I’m simulating some systems that have not chroot-ed their SFTP users, so > the initial directory for the user is /home/username, but the users can > access the entire filesystem (I know - not a good idea, but I didn’t set > this up). > > My problem is that when I setup the SFTP sever using Mina SSHD with a > VirtualFileSystemFactory, the user is always placed in the “root” directory > (i.e. / ) when they login. This makes is really hard for me to simulate > navigating the virtual filesystem in my tests because the paths are > different. > > Any ideas/suggestions would be greatly appreciated!! > > Quinn Stevenson > > > -- Guillaume Nodet
[ANN] Apache Mina SSHD 1.7.0 Released
We're pleases to announce the release of Mina SSHD 1.7.0. The release is available from the ASF download sites and also from Maven Central: http://mina.apache.org/sshd-project/download_1.7.0.html Release notes: https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12341097=Text=12310849=Create_token=A5KQ-2QAV-T4JA-FDED%7C47f5fd1e799680219ff14477b5b2c29ce7aaf6fd%7Clin Cheers, Guillaume Nodet
Re: SSHD session init issue? (msg order)
That looks legit to me, see rfc4253 section 5.2 5.2 <https://tools.ietf.org/html/rfc4253#section-5.2>. New Client, Old Server Since the new client MAY immediately send additional data after its identification string (before receiving the server's identification string), the old protocol may already be corrupt when the client learns that the server is old. When this happens, the client SHOULD close the connection to the server, and reconnect using the old protocol. This implies that what you see is correct from a client point of view. Would it be possible to enable debug logging on the cisco server to get more traces ? 2017-11-02 9:38 GMT+01:00 Maroš Maršálek <mmarsa...@frinx.io>: > Hello mina(sshd) devs, > > > > While using mina-sshd I ran into a possible issue. > > Basically, when connecting as a client to SSH server, session > initialization halts. The message exchange (observed by wireshark) looked > like this: > > > > Mina-SSHD-client -> SSH serverSSH-2.0-... > > Mina-SSHD-client -> SSH serverKEX_INIT > > SSH server -> Mina-SSHD-client SSH-2.0-Cisco-1.25 > > > > No further messages were exchanged. > > This does not always happen, if the timing is right and the message order > looks like: > > > > SSH-2.0... > > SSH-2.0-Cisco-1.25 > > KEX_INIT > > KEX_INIT > > > > ... the communication continues as expected. > > > > So my questions would be: > > Is that an issue ? Should the „SSH protocol identifiers“ be exchanged > first and only then KEX_INIT messages ? Is that message order valid by the > SSH protocol standards ? > > If so, can that be considered a possible issue in mina-sshd library and > should it wait to send KEX_INIT only after SSH protocol identifier was > received ? > > Or is this just a bug in this particular SSH server... > > > > I tested this with mina-sshd 1.16.0 and also 0.14 versions. > > The SSH server is part of Cisco IOSv software (version 15.5(3) and above). > > > > Regards, > > Maroš Maršalek > > *Software Engineer* > > > > Frinx s.r.o. > > Mlynské Nivy 48 / 821 09 Bratislava / Slovakia > <https://maps.google.com/?q=Mlynsk%C3%A9+Nivy+48+/+821+09+Bratislava+/+Slovakia=gmail=g> > > +421 2 209 101 41 / mmarsa...@frinx.io > <2%20209%20101%2041%20/%20mmarsa...@frinx.io> / *www.frinx.io > <http://www.frinx.io>* > > > > [image: cid:image001.jpg@01D26688.DDA92180] > > > -- Guillaume Nodet
Re: How to configure ChannelShell correctly? (Part 2)
Here is an example of this integration: https://github.com/jline/jline3/blob/master/remote-ssh/src/main/java/org/jline/builtins/ssh/Ssh.java#L165-L265 For the server side, you can look at: https://github.com/jline/jline3/blob/master/remote-ssh/src/main/java/org/jline/builtins/ssh/ShellFactoryImpl.java#L119 The invertedIn stream is an OutputStream which you can use to write to the remote input stream of the ssh channel. What you write will be the input on the server side. It's created when the channel is opened. If an in channel is set (using setIn) before the channel is opened, a thread will be created which will read from that InputStream and write the data to the invertedIn. You also have the ability to use an async mode where you can use streams using the IoInputStream and IoOutputStream interfaces. 2017-06-29 11:07 GMT+02:00 Nick Lee <lee1n...@yahoo.ca.invalid>: > Hello, > One thing I forgot to mention > The terminal emulator needs an InputStream and an OutputStream. > I use ChannelShell.getOut() to obtain the OutputStream. > I use ChannelShell.getInvertedOut() to obtain the InputStream, because > ChannelShell.getIn() initially returns null and I did not check again later. > Is that the right way to do it? Should I call getIn() later to obtain an > InputStream? What is "inverted out" for? > Thanks,Nick > -- Guillaume Nodet
Re: Regarding the SSHD 1.5.0 Release ETA
Unfortunately, it can't be published. There's a licensing issue that needs to get sorted and we'll have to recut a release. 2017-05-19 11:06 GMT+02:00 Oleg Nenashev <o.v.nenas...@gmail.com>: > Hi all, > > Thanks a lot for the release cut off, I see it in GitHub. Unfortunately > SSHD 1.5.0 has not been published in Maven Central yet: > http://central.maven.org/maven2/org/apache/sshd/sshd-core/ . Likely it is > just waiting for the approval in staging. Would it be possible to get it > published? > > There is also an issue with the changelog entry for SSHD-727. It says > "Upgrade EdDSA artifact version to 1.1", but actually it has been upgraded > from 1.1 to 1.2 as it has been mentioned in the issue comments. > > Thanks in advance, > Oleg Nenashev > > 2017-05-11 13:55 GMT+02:00 Emmanuel Lécharny <elecha...@gmail.com>: > > > > > > > Le 11/05/2017 à 09:45, Oleg Nenashev a écrit : > > > Hello, > > > > > > Thanks for the response! Looking forward to get a decision. > > > > > > I would probably wait till the Jigsaw mess gets resolved somehow ;) > > > > You mean, 2027 ? > > > > -- > > Emmanuel Lecharny > > > > Symas.com > > directory.apache.org > > > > > -- Guillaume Nodet
Re: Is there a maven snapshot reporitory for this projet
You can try with the github clone https://github.com/apache/mina-sshd.git I've also uploaded a snapshot at : https://repository.apache.org/content/repositories/snapshots/org/apache/sshd/sshd-core/1.4.0-SNAPSHOT/sshd-core-1.4.0-20161128.120923-1.jar 2016-11-28 12:42 GMT+01:00 Claude Warren <cla...@xenei.com>: > I get the following error: > > git clone http://git-wip-us.apache.org/repos/asf/mina-sshd.git sshd > Initialized empty Git repository in /home/iei77703/git/sshd/.git/ > error: RPC failed; result=22, HTTP code = 405 > > > On Sun, Nov 27, 2016 at 10:13 AM, Emmanuel Lécharny <elecha...@gmail.com> > wrote: > > > > > > > Le 27/11/16 à 10:44, Claude Warren a écrit : > > > I was looking for a maven snapshot repository for the sshd modules. Is > > > there one or do I have to build from source? > > > > Building the project from source is as easy as doing : > > > > $ git clone http://git-wip-us.apache.org/repos/asf/mina-sshd.git sshd > > $ mvn clean install > > > > It taes a couple of mins, all include, it only requires Java 7 and Maven > > 3.x. > > > > > > -- > > > > Emmanuel Lecharny > > > > Symas.com > > directory.apache.org > > > > > > > -- > I like: Like Like - The likeliest place on the web > <http://like-like.xenei.com> > LinkedIn: http://www.linkedin.com/in/claudewarren > -- Guillaume Nodet Red Hat, Open Source Integration Email: gno...@redhat.com Web: http://fusesource.com Blog: http://gnodet.blogspot.com/
Re: SSHD client - is it possible to reuse a session?
It's a valid use case and it should work. However, if you stack your sessions for too long, the client or server may consider the session idle for too long and close it. Before reusing the session, check the session state with a call isOpen(). You can change the timeout on the client or server (if using sshd) with the following code. The default value is FactoryManager.DEFAULT_IDLE_TIMEOUT with is 10 minutes. final long idleTimeoutValue = TimeUnit.SECONDS.toMillis(5L); PropertyResolverUtils.updateProperty(sshd, FactoryManager.IDLE_TIMEOUT, idleTimeoutValue); 2016-11-17 15:57 GMT+01:00 Claude Warren <cla...@xenei.com>: > I am attempting to create a client session and then use it to send multiple > commands. Is this possible? > > {noformat} > >ConnectFuture connect = client.connect(cred.getUserName(), > socketAddress); > if (connect.await(1)) { > session = connect.getSession(); > if (session != null) { > session.addPasswordIdentity(cred.getPassword()); > AuthFuture future = session.auth(); > future.await(config.getConnectionTimeout()); > if (future.isFailure()) { > if (LOG.isDebugEnabled()) { > LOG.debug(String.format( > "Login to %s with id '%s' failed", > socketAddress, cred.getUserName())); > session.close(false); > } > } else { > > return session; > } > } else { > LOG.info(String.format("Unable to create session with > %s", > socketAddress)); > } > > === snip === > > ClientChannel channel = > session.createChannel(Channel.CHANNEL_EXEC, > command.getSend()); > ByteArrayOutputStream out = new ByteArrayOutputStream(); > ByteArrayOutputStream err = new ByteArrayOutputStream(); > channel.setOut(out); > channel.setErr(err); > > channel.open().await(1); > channel.waitFor(EnumSet.of(ClientChannelEvent.CLOSED), 0); > > {noformat} > > Basically I call the first part to create the session and then execute the > command in the second part. I process the results and depending on output > I run other commands by calling the second part again. (same session, and I > have closed the previous channel). > > The issue I see is that the session is closed when the channel is closed. > The implementation is using the NIO2 packages. > > I am not certiain if this is a bug, > a misconfiguraiton on my part, > or patently not possible. > > Any assistance would be appreciated. > > Claude Warren > -- > I like: Like Like - The likeliest place on the web > <http://like-like.xenei.com> > LinkedIn: http://www.linkedin.com/in/claudewarren > -- Guillaume Nodet Red Hat, Open Source Integration Email: gno...@redhat.com Web: http://fusesource.com Blog: http://gnodet.blogspot.com/
Re: SshClient#start call multiple times
The client (and server) are not supposed to be started multiple times. This could be improved, but for now, you'd better only call start / stop once. 2016-03-18 16:45 GMT+01:00 Alexis de Talhouët <adetalho...@inocybe.ca>: > Hello sshd-dev, > > Let say I have an SshClient shared across my app, used to establish > connection > to remote devices. Each time the app is attempting a connection, the > #start() method > of SshClient is called. Doing so created a FD leak in the app. > > So I’m wondering if by design, the SshClient#start() can be called > multiple time. > Else, a quick and easy check in the start method to see if already started > would > be an easy fix. > > More context: > [0]: is the static final definition of the SshClient, where the client is > started the first time > [1]: and here is where the SshClient is started on each connect attempt > > Thanks, > Alexis > > [0]: > https://github.com/opendaylight/netconf/blob/master/netconf/netconf-netty-util/src/main/java/org/opendaylight/netconf/nettyutil/handler/ssh/client/AsyncSshHandler.java#l46l59 > < > https://github.com/opendaylight/netconf/blob/master/netconf/netconf-netty-util/src/main/java/org/opendaylight/netconf/nettyutil/handler/ssh/client/AsyncSshHandler.java#l46l59 > > > [1]: > https://github.com/opendaylight/netconf/blob/master/netconf/netconf-netty-util/src/main/java/org/opendaylight/netconf/nettyutil/handler/ssh/client/AsyncSshHandler.java#l89 > < > https://github.com/opendaylight/netconf/blob/master/netconf/netconf-netty-util/src/main/java/org/opendaylight/netconf/nettyutil/handler/ssh/client/AsyncSshHandler.java#l89 > > -- Guillaume Nodet Red Hat, Open Source Integration Email: gno...@redhat.com Web: http://fusesource.com Blog: http://gnodet.blogspot.com/
Re: Extending sshd to support streaming files from a file repository
I'm not sure to understand. You want your client to use the SSH / SFTP protocol to connect to the server, and then, the server would call a web service to actually query the file system over the web service, right ? If you don't want your client to directly use the custom FileSystemProvider, and force it to use SFTP instead, you can achieve that by setting your custom FileSystemFactory on the ssh server and that should be enough. 2015-12-18 2:52 GMT+01:00 rockyfm: > We are looking to extend sshd 1.0 to support a file system that does not > exist natively on the server running the sshd process. File operations like > "ls" would query a web service to return a structure that represents the > access the user has to files and directories on the remote file repository. > Similarly a "GET" would retrieve a file from the repository while a "PUT" > would save it to the repository. My initial understanding is that I could > achieve what I need by implementing something as follows (based on the > RootedFileSystemProvider) > 1. MyCustomFileSystemProvider extending FileSystemProvider > 2. MyCustomPath extending BasePath > 3. MyCustomtFileSystem extending BaseFileSystem< MyCustomPath > > 4. MyCustomFileSystemFactory implementing FileSystemFactory > > I was wondering if I was on the right track. Do I need to extend the > SftpSubsystem, if I need to stream a file from a remote server ? > > Any pointers is greatly appreciated. > > > > -- > View this message in context: > http://apache-mina.10907.n7.nabble.com/Extending-sshd-to-support-streaming-files-from-a-file-repository-tp49141.html > Sent from the Apache MINA User Forum mailing list archive at Nabble.com. >
Re: Is there an easy way to parse an OpenSSH RSA/DSA/ECDSA pub/priv keypair?
Sure, but that's definitely now how the private key looks like. It usually looks like: -BEGIN RSA PRIVATE KEY- -END RSA PRIVATE KEY- And loading the public key only won't really give you a KeyPair. The method I pointed you to in SecurityUtils needs an InputStream containing such a private key. Guillaume 2015-11-02 17:25 GMT+01:00 Jonathan S. Fisher < jonat...@springventuregroup.com>: > Jsch loads encrypted ones just fine :) It will not connect with ECDSA > though, which is why we switched to mina-sshd. > > And those are definitely PEM encoded keys. Typically with the ssh-keygen > tool, your generated pubkey will be in this format: > > jonathan.fisher@apollo:~/.ssh$ cat id_dsa.pub > ssh-dss > > B3NzaC1kc3MAAACBANgv/c/e+Urs13PJiwCAeGZshnmv4eea8+c8NEPS5fYi9WHSdSGacyZJPxqd1/8dlmzma91lx2i20f1jTUngiXal2OUzADxIiUf+nf0LFRSrzPbo6B6bLcaYz0RHoSzICbcImreJ06Cow9nKGM0zCwho3aRrPo41L9hDzDFjYPKJFQC4ybSPtFEb2GuIqTpz3HRAlOU0kwAAAIEArBxXFV+CgEh57uPSsQ/G2p2KhEXyOTP8SZ753sRswH5PTv8X3wq1BjuSneonm9Z+1w6AtC0HDQ6ibTG+Kx0e3HjAdVdkvVEP2MNLxlYG5eUozGJWEdb3tmAGJgtP4Y3pQ789I1fbaEtN7JT7+tn9IXtclGP66du6XhU3lHemqVMAAACAFVAaT56J7KnM2FGD4ghQ5+dduM3mzRrokac7oEt9gz18n0yK5bBRMUq4evEwsRyqEH8lipdvF416ggK/I5U5ww2XwsfqqJ8mAPuGpC49cIQzuCWDi1WMG0OA91t/bTD4yEt0DA/7Vqo+PVFbxzVbAZtoGMa/0trjvIgxRJfLOss= > jonathan.fisher@apollo > > > On Mon, Nov 2, 2015 at 10:20 AM, Guillaume Nodet <gno...@apache.org> > wrote: > > > The code is used to load the following keys: > > > > > > > https://github.com/apache/mina-sshd/tree/master/sshd-core/src/test/resources/org/apache/sshd/client/config/keys > > > > Isn't that what you need ? > > > > Fwiw, afaik, JSch can't load encrypted keys. > > > > > > 2015-11-02 17:00 GMT+01:00 Jonathan S. Fisher < > > jonat...@springventuregroup.com>: > > > > > If I could press you just a bit further > > > > > > I have the private key and the public key as separate strings in the > > > typical OpenSSH format. I noticed the source code for the > > > SecurityUtils. loadKeyPairIdentity() seems to invoke methods based > around > > > PEM formats, which is not common at all for SSH. > > > > > > Is there a way to parse, combine, and convert the keys I have to PEM > > format > > > in Java? > > > > > > On Mon, Nov 2, 2015 at 9:44 AM, Jonathan S. Fisher < > > > jonat...@springventuregroup.com> wrote: > > > > > > > https://mina.apache.org/sshd-project/downloads.html > > > > > > > > Just noticed this is not showing a changelog or a download link for > > 1.0. > > > I > > > > saw v1.0 in Nexus, but since it wasn't listed as a release I figured > it > > > was > > > > a fluke. > > > > > > > > On Sun, Nov 1, 2015 at 2:50 AM, Guillaume Nodet <gno...@apache.org> > > > wrote: > > > > > > > >> Here's the code from SSHD 1.0 > > > >> I think the javadoc on the web site is outdated, i'll try to fix it. > > > >> > > > >> > > > >> > > > > > > https://github.com/apache/mina-sshd/blob/sshd-1.0.0/sshd-core/src/main/java/org/apache/sshd/common/util/SecurityUtils.java#L202 > > > >> > > > >> 2015-10-31 16:24 GMT+01:00 Jonathan S. Fisher < > > > >> jonat...@springventuregroup.com>: > > > >> > > > >> > Using Jsch, I was able to parse the keys: > > > >> > > > > >> > JSch jSch = new JSch(); > > > >> > try { > > > >> > com.jcraft.jsch.KeyPair jschKeypair = > > > com.jcraft.jsch.KeyPair.load(jSch, > > > >> > privateKey.getBytes(), publicKey.getBytes()); > > > >> > jschKeypair.decrypt(keyPass); > > > >> > byte[] fromAgent = jschKeypair.forSSHAgent(); > > > >> > Buffer buffer = new Buffer(fromAgent); > > > >> > return buffer.getKeyPair(); > > > >> > } catch (JSchException | SshException e) { > > > >> > throw new RuntimeException(e); > > > >> > } > > > >> > > > > >> > However, is there a way to do this without bringing in Jsch? > > > >> > > > > >> > > > > >> > On Sat, Oct 31, 2015 at 9:12 AM, Jonathan S. Fisher < > > > >> > jonat...@springventuregroup.com> wrote: > > > >> > > > > >> > > > > > >> > > > > > >> > > > > >> > >
Re: Is there an easy way to parse an OpenSSH RSA/DSA/ECDSA pub/priv keypair?
The code is used to load the following keys: https://github.com/apache/mina-sshd/tree/master/sshd-core/src/test/resources/org/apache/sshd/client/config/keys Isn't that what you need ? Fwiw, afaik, JSch can't load encrypted keys. 2015-11-02 17:00 GMT+01:00 Jonathan S. Fisher < jonat...@springventuregroup.com>: > If I could press you just a bit further > > I have the private key and the public key as separate strings in the > typical OpenSSH format. I noticed the source code for the > SecurityUtils. loadKeyPairIdentity() seems to invoke methods based around > PEM formats, which is not common at all for SSH. > > Is there a way to parse, combine, and convert the keys I have to PEM format > in Java? > > On Mon, Nov 2, 2015 at 9:44 AM, Jonathan S. Fisher < > jonat...@springventuregroup.com> wrote: > > > https://mina.apache.org/sshd-project/downloads.html > > > > Just noticed this is not showing a changelog or a download link for 1.0. > I > > saw v1.0 in Nexus, but since it wasn't listed as a release I figured it > was > > a fluke. > > > > On Sun, Nov 1, 2015 at 2:50 AM, Guillaume Nodet <gno...@apache.org> > wrote: > > > >> Here's the code from SSHD 1.0 > >> I think the javadoc on the web site is outdated, i'll try to fix it. > >> > >> > >> > https://github.com/apache/mina-sshd/blob/sshd-1.0.0/sshd-core/src/main/java/org/apache/sshd/common/util/SecurityUtils.java#L202 > >> > >> 2015-10-31 16:24 GMT+01:00 Jonathan S. Fisher < > >> jonat...@springventuregroup.com>: > >> > >> > Using Jsch, I was able to parse the keys: > >> > > >> > JSch jSch = new JSch(); > >> > try { > >> > com.jcraft.jsch.KeyPair jschKeypair = > com.jcraft.jsch.KeyPair.load(jSch, > >> > privateKey.getBytes(), publicKey.getBytes()); > >> > jschKeypair.decrypt(keyPass); > >> > byte[] fromAgent = jschKeypair.forSSHAgent(); > >> > Buffer buffer = new Buffer(fromAgent); > >> > return buffer.getKeyPair(); > >> > } catch (JSchException | SshException e) { > >> > throw new RuntimeException(e); > >> > } > >> > > >> > However, is there a way to do this without bringing in Jsch? > >> > > >> > > >> > On Sat, Oct 31, 2015 at 9:12 AM, Jonathan S. Fisher < > >> > jonat...@springventuregroup.com> wrote: > >> > > >> > > > >> > > > >> > > >> > https://mina.apache.org/sshd-project/apidocs/org/apache/sshd/common/util/SecurityUtils.html > >> > > > >> > > Can you point me to that method in the docs? I'm not seeing it > >> there... > >> > > > >> > > On Fri, Oct 30, 2015 at 5:59 PM, Guillaume Nodet <gno...@apache.org > > > >> > > wrote: > >> > > > >> > >> You can try with > >> > >> SecurityUtils.loadKeyPairIdentity > >> > >> > >> > >> 2015-10-30 17:36 GMT+01:00 Jonathan S. Fisher < > >> > >> jonat...@springventuregroup.com>: > >> > >> > >> > >> > Hey guys, > >> > >> > > >> > >> > I've been pouring through examples and source code, and I cannot > >> > figure > >> > >> out > >> > >> > how to do this. I have a pair of Strings that is the contents of > a > >> > >> user's > >> > >> > id_ecdsa and id_ecdsa.pub. The private key is encrypted. > >> > >> > > >> > >> > Is there not a conversion utility class to go from OpenSSH to a > >> > KeyPair > >> > >> > anywhere? If not, what would be the shortest steps to write one? > I > >> > >> noticed > >> > >> > the Buffer class and the SecurityUtils, but they don't seem to > >> handle > >> > >> > encryption. > >> > >> > > >> > >> > Thanks, > >> > >> > -Jonathan > >> > >> > > >> > >> > -- > >> > >> > Email Confidentiality Notice: The information contained in this > >> > >> > transmission is confidential, proprietary or privileged and may > be > >> > >> subject > >> > >> > to protection under the law, including the Health Insurance > >> > Portability > >> > >> and > >> > >> >
Re: Apache SSHD and Apache MINA integration
It may be easier for you to go to a lower level though. SshClient client = SshClient.setUpDefaultClient(); ClientSession session = new ClientSessionImpl(client, new MinaSession(null, ioSession)); session.setUsername(...); ... I suppose your code snippet should work too, though you'd have to call client.connect() with a dummy address. 2015-10-21 8:24 GMT+02:00 Vikram Darsi: > Hi > > We have a Netconf protocol implementation on top of Apache MINA and Apache > SSHD, and currently working on new feature "reverse SSH" > > > 1. Apache MINA's NioSocketAcceptor is used to accept incoming connections > and a StreamIOhandler is set to it. > > 2. So, when a connection is accepted, we have a IoSession, InputStream and > OutputStream with us > > 3. As per the concept of reverseSSH, all further request's should use the > same channel. > > Here comes the need to attach the IoSession to Apache SSHD's SshClient > > The following is the code snippet written for achieving this > > > sshClient.setIoServiceFactoryFactory(new IoServiceFactoryFactory() { > @Override > public IoServiceFactory create(final FactoryManager manager) { > return new MinaServiceFactory(manager) { > @Override > public IoConnector createConnector(final IoHandler > handler) { > try { > return new Nio2Connector(manager, handler, > AsynchronousChannelGroup.withThreadPool(MoreExecutors.sameThreadExecutor())) > { > @Override > public IoConnectFuture connect(final > SocketAddress address) { > DefaultIoConnectFuture > defaultIoConnectFuture = new DefaultIoConnectFuture(null); > > defaultIoConnectFuture.setSession(ioSession); > return defaultIoConnectFuture; > } > }; > } catch (IOException e) { > // FIXME > e.printStackTrace(); > } > return null; > } > }; > } > }); > > > sshClient.start(); > > Are these steps correct? If not, can you please let us know the correct > steps. > > 4. For further communication can we use this SshClient API to talk to the > devices in usual manner? > > > > Thanks > Vikram > > > This email and attachments may contain privileged or confidential > information intended only for the addressee(s) indicated. The sender does > not waive any of its rights, privileges or protections respecting this > information. If you are not the named addressee, an employee, or agent > responsible for sending this message to the named addressee (or this > message was received by mistake), you are not authorized to read, print, > retain, copy or disseminate this message or any part of it. If received in > error, please notify us immediately by e-mail, discard any paper copies and > delete all electronic files of the email. > > Computer viruses can be transmitted via email. The recipient should check > this email and any attachments for viruses. Email transmission cannot be > guaranteed to be secured or error-free as information could be intercepted, > corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. > The sender accepts no liability for any damage caused by any transmitted > viruses or errors or omissions in the contents of this message. > > Overture Networks, Inc. 637 Davis Drive, Morrisville, NC USA 27560 > www.overturenetworks.com >
Re: Sftp client - large directory listing
You need to call readDir(h) multiple times until it returns null which signifies that the whole directory has been read. 2015-10-15 20:20 GMT+02:00 Gabriel Kapitany: > Hi all, > > > > I’m using the SSH client library and trying to list a remote directory > containing large number of files +10,000. > > > > Something along this line: > > ….. > > sftp = session.createSftpClient(); > > … > > List myList = *new* ArrayList(); > >SftpClient.DirEntry[] dir = *null*; > >*try* { > > h = sftp.openDir(folder); > > dir = sftp.readDir(h); > > > > > >} *catch* (IOException e) { > > > > *throw* *new* InterruptedException("Can't open directory: " > + e); > >} > > > >*int* count = dir.length; > > > > > > I’m looking for files in the list with a particular extension > filexx.ext, for which I call sftp.get. > > The listing returns around 100 files unsorted, which doesn’t hold any of > the *.ext files, even though there are many of them on the remote folder. > At this point my application gets stuck. > > > > I think this is due to the buffer size. How can I retrieve the whole > list? Or, is there any other way to deal with the problem? > > > > Thanks, > > Gabriel > > > > CONFIDENTIALITY WARNING > This communication, including any attachments, is for the exclusive use of > addressee and may contain proprietary and/or confidential information. If > you are not the intended recipient, any use, copying, disclosure, > dissemination or distribution is strictly prohibited. If you are not the > intended recipient, please notify the sender immediately by return e-mail, > delete this communication and destroy all copies. > > AVERTISSEMENT RELATIF À LA CONFIDENTIALITÉ > Ce message, ainsi que les pièces qui y sont jointes, est destiné à l’usage > exclusif de la personne à laquelle il s’adresse et peut contenir de > l’information personnelle ou confidentielle. Si le lecteur de ce message > n’en est pas le destinataire, nous l’avisons par la présente que toute > diffusion, distribution, reproduction ou utilisation de son contenu est > strictement interdite. Veuillez avertir sur-le-champ l’expéditeur par > retour de courrier électronique et supprimez ce message ainsi que toutes > les pièces jointes. > >
Re: SFTP - Strange Heap Behaviour under load
Yes, please reproduce the error and take a memory dump somehow, and raise a JIRA issue and attach the dump to it. 2015-10-27 8:17 GMT+01:00 Stefan Magnus Landrø: > Have you performed a heap dump and tried analyzing it with eclipse mat ( > https://eclipse.org/mat/) or similar? You could add a jvm flag to have it > dump memory when oom-ing ( > http://www.oracle.com/technetwork/java/javase/clopts-139448.html)? > > Stefan > > 2015-10-27 8:04 GMT+01:00 Olivier Girardot : > > > any idea ? this is a blocker for us and it makes us consider dropping > sshd > > :-/ > > > > 2015-10-19 19:09 GMT+02:00 Olivier Girardot : > > > >> Hi everyone, > >> we're experiencing some trouble using sshd 1.0.0 as an SFTP server under > >> high load with many small files (< 15 M). > >> We do not see a lot of GC Activity when the server is idle, and when > >> "some" load appears sometimes the heap usage go down, and sometimes we > >> gradually go up until an OOM Error kills everything. > >> > >> Here's some of the Heap/Thread behaviour we observe : > >> > >> [image: Images intégrées 1] > >> > >> Any idea what we could be doing wrong ? > >> > >> > >> -- > >> *Olivier Girardot* > >> > > > > > > > -- > BEKK Open > http://open.bekk.no > > TesTcl - a unit test framework for iRules > http://testcl.com >
Re: Is there an easy way to parse an OpenSSH RSA/DSA/ECDSA pub/priv keypair?
Here's the code from SSHD 1.0 I think the javadoc on the web site is outdated, i'll try to fix it. https://github.com/apache/mina-sshd/blob/sshd-1.0.0/sshd-core/src/main/java/org/apache/sshd/common/util/SecurityUtils.java#L202 2015-10-31 16:24 GMT+01:00 Jonathan S. Fisher < jonat...@springventuregroup.com>: > Using Jsch, I was able to parse the keys: > > JSch jSch = new JSch(); > try { > com.jcraft.jsch.KeyPair jschKeypair = com.jcraft.jsch.KeyPair.load(jSch, > privateKey.getBytes(), publicKey.getBytes()); > jschKeypair.decrypt(keyPass); > byte[] fromAgent = jschKeypair.forSSHAgent(); > Buffer buffer = new Buffer(fromAgent); > return buffer.getKeyPair(); > } catch (JSchException | SshException e) { > throw new RuntimeException(e); > } > > However, is there a way to do this without bringing in Jsch? > > > On Sat, Oct 31, 2015 at 9:12 AM, Jonathan S. Fisher < > jonat...@springventuregroup.com> wrote: > > > > > > https://mina.apache.org/sshd-project/apidocs/org/apache/sshd/common/util/SecurityUtils.html > > > > Can you point me to that method in the docs? I'm not seeing it there... > > > > On Fri, Oct 30, 2015 at 5:59 PM, Guillaume Nodet <gno...@apache.org> > > wrote: > > > >> You can try with > >> SecurityUtils.loadKeyPairIdentity > >> > >> 2015-10-30 17:36 GMT+01:00 Jonathan S. Fisher < > >> jonat...@springventuregroup.com>: > >> > >> > Hey guys, > >> > > >> > I've been pouring through examples and source code, and I cannot > figure > >> out > >> > how to do this. I have a pair of Strings that is the contents of a > >> user's > >> > id_ecdsa and id_ecdsa.pub. The private key is encrypted. > >> > > >> > Is there not a conversion utility class to go from OpenSSH to a > KeyPair > >> > anywhere? If not, what would be the shortest steps to write one? I > >> noticed > >> > the Buffer class and the SecurityUtils, but they don't seem to handle > >> > encryption. > >> > > >> > Thanks, > >> > -Jonathan > >> > > >> > -- > >> > Email Confidentiality Notice: The information contained in this > >> > transmission is confidential, proprietary or privileged and may be > >> subject > >> > to protection under the law, including the Health Insurance > Portability > >> and > >> > Accountability Act (HIPAA). The message is intended for the sole use > of > >> the > >> > individual or entity to whom it is addressed. If you are not the > >> intended > >> > recipient, you are notified that any use, distribution or copying of > the > >> > message is strictly prohibited and may subject you to criminal or > civil > >> > penalties. If you received this transmission in error, please contact > >> the > >> > sender immediately by replying to this email and delete the material > >> from > >> > any computer. > >> > > >> > > > > > > -- > Email Confidentiality Notice: The information contained in this > transmission is confidential, proprietary or privileged and may be subject > to protection under the law, including the Health Insurance Portability and > Accountability Act (HIPAA). The message is intended for the sole use of the > individual or entity to whom it is addressed. If you are not the intended > recipient, you are notified that any use, distribution or copying of the > message is strictly prohibited and may subject you to criminal or civil > penalties. If you received this transmission in error, please contact the > sender immediately by replying to this email and delete the material from > any computer. >
Re: Is there an easy way to parse an OpenSSH RSA/DSA/ECDSA pub/priv keypair?
You can try with SecurityUtils.loadKeyPairIdentity 2015-10-30 17:36 GMT+01:00 Jonathan S. Fisher < jonat...@springventuregroup.com>: > Hey guys, > > I've been pouring through examples and source code, and I cannot figure out > how to do this. I have a pair of Strings that is the contents of a user's > id_ecdsa and id_ecdsa.pub. The private key is encrypted. > > Is there not a conversion utility class to go from OpenSSH to a KeyPair > anywhere? If not, what would be the shortest steps to write one? I noticed > the Buffer class and the SecurityUtils, but they don't seem to handle > encryption. > > Thanks, > -Jonathan > > -- > Email Confidentiality Notice: The information contained in this > transmission is confidential, proprietary or privileged and may be subject > to protection under the law, including the Health Insurance Portability and > Accountability Act (HIPAA). The message is intended for the sole use of the > individual or entity to whom it is addressed. If you are not the intended > recipient, you are notified that any use, distribution or copying of the > message is strictly prohibited and may subject you to criminal or civil > penalties. If you received this transmission in error, please contact the > sender immediately by replying to this email and delete the material from > any computer. >
Re: Extending SFTP Subsystem to push to HDFS
SSHD 1.0 uses the standard NIO2 FileSystem api. For hadoop, see https://issues.apache.org/jira/browse/HADOOP-3518 and there's a link to an implementation at https://github.com/damiencarol/jsr203-hadoop So simply registering the provider should work with SFTP. 2015-09-17 10:29 GMT+02:00 Olivier Girardot: > Hi everyone, > we're currently trying to extend the SftpSubsystem class of the > sshd-core project to use an underlying remote Hadoop filesystem > (HDFS). > I wondered if you had any input on this, considering we based our > initial draft on the 0.14 and 1.0.0 seems to be changing a lot of the > API. > > Would you have any insights into whether it would be possible to > replace the default "Filesystem" used to another "abstraction" in > order to achieve a push into HDFS ? > > Regards, > > Olivier. >
Re: [sshd][client]How to detect command completion?
If you're using an exec channel, the channel should close when the command is finished and the all the output has been sent. If you're using a shell channel, there's no notion of command from the client point of view, it's just a bidirectional stream of characters, so I don't think there's an easy way to do so. Guillaume Nodet 2015-06-12 8:36 GMT+02:00 Satya Deep Maheshwari connus...@gmail.com: Hi I am using ClientChannel to invoke commands on a remote machine via ssh. I am sending remote commands by writing on the NoCloseInputStream associated with this channel and the output of the command is getting written on the associated NoCloseOutputStream. Is there some way I can determine that the command that I invoked has completed and its output is available on the associated output stream? Thanks
Re: sshd-sftp hasn't been released since version 0.11
The problem is that this module has never been fully completed and given the lack of work on it and duplication with the embedded version of sftp support, it has not been released for some time. It has even been deleted from the master branch for 1.x. If anyone is willing to support it, this decision could be revisited though ... 2015-05-08 1:14 GMT+02:00 Stephen Judkins stephen.judk...@gmail.com: There have been some bug fixes since then, but I can't find a release for sshd-sftp anywhere on Maven since version 0.11. Everything else seems to be up to date. Is this a known issue?
Re: Idle SSHD sessions still managed
This should work. The idle timeout will close the ssh session which should in turn close the ioSession, and that session should be removed from the list of managed sessions. However, this happens slightly asynchronously, as the idle timeout will trigger the write of the disconnect message and the session will only be closed after the message has been written. 2015-05-07 17:40 GMT+02:00 Pellerin, Clement clement_pelle...@ibi.com: I am implementing an SshServer with SSHD 0.14.0 When a connection becomes idle, the client gets disconnected, but the connection remains managed. It still appears in session.getIoSession().getService().getManagedSessions() What am I doing wrong?
Re: Equivalent of BlacklistFilter for SSHD
You could try to implement your own derived class of org.apache.sshd.server.session.SessionFactory and throw an exception if the connection is to be blacklisted. However, looking at the code, I think you're right, as any exception will not result in the session to be unmanaged, at least in the Nio2Acceptor service. That's a bug, could you please raise a JIRA issue for that ? 2015-05-07 17:36 GMT+02:00 Pellerin, Clement clement_pelle...@ibi.com: I need to accept SSHD connections only from a predetermined list of IP addresses. I am trying to find the equivalent of the Mina BlacklistFilter for SSHD. SSHD can run with NIO2 or Mina underneath so this should probably be done in a higher layer. I tried implementing the peer address check in MySessionListener.sessionCreated() but that confuses SSHD when running with NIO2. If I throw, SSHD stops listening on the server socket. If I simply close the session, the closed session is added permanently to the managed sessions. Is there a way to do this in SSHD without hardcoding to the Mina IO service? I am using SSHD 0.14.0
Re: [ANN] SSHD 0.14.0 released
Thx, it should be fixed now. 2015-03-16 10:18 GMT+01:00 Stefan Mueller stefan.muel...@menten.com: 1) Link to binary file is wrong on all servers: Example link from website: http://mirror.synyx.de/apache/mina/sshd/0.14.0/dist/apache-sshd-0.14.0.zip Path on server: http://mirror.synyx.de/apache/mina/sshd/0.14.0/apache-sshd-0.14.0.zip The link contains the directory dist which does not exist on server. -- View this message in context: http://apache-mina.10907.n7.nabble.com/ANN-SSHD-0-14-0-released-tp46393p46487.html Sent from the Apache MINA User Forum mailing list archive at Nabble.com.
[ANN] SSHD 0.14.0 released
Apache Mina SSHD 0.14.0 has been released. The release is available from the web site: http://mina.apache.org/sshd-project/download_0.14.0.html Release Notes - MINA SSHD - Version 0.14.0 ** Bug * [SSHD-348] - Some SSH threads get blocked in Object.wait() method forever * [SSHD-374] - Nio2Acceptor never unbinding * [SSHD-375] - Buffer.MAX_LEN and DefaultSftpClient#write() don't play well together * [SSHD-384] - Fix broken client demo when executing a command * [SSHD-388] - SSH server fails during bundle update * [SSHD-391] - Incorrect defaulting to DHG1 in 'No suitable primes found' scenario * [SSHD-393] - Ssh server freezing when under heavy load * [SSHD-402] - Strange behaviour when overwriting files using SCP (ScpCommandFactory) * [SSHD-412] - Avoid SCP problems for zero-length files * [SSHD-422] - Take into account local file separator when converting to/from SFTP paths ** Improvement * [SSHD-366] - Need to cross reference provided host keys with configured signature factories * [SSHD-368] - Add a timeout on the client to better handle the ssh server being slow to respond or some packets being lost * [SSHD-372] - Server doesn't reject connections that don't send client identification, has to time out * [SSHD-385] - Fix log statement when a window is unblocked * [SSHD-386] - Allow controlling socket options * [SSHD-387] - When using inverted streams on the client, the window should only be decreased when reading, not when writing to the pipe * [SSHD-389] - Implement a disconnect timeout * [SSHD-394] - Use an ExecutorService to spawn SftpSubsystem command * [SSHD-395] - Use an ExecutorService to run ScpCommand(s) * [SSHD-397] - Added more detailed log messages about the KEX negotiation process * [SSHD-398] - Provide read-only access to the session KEX negotiation result parameters * [SSHD-399] - Add KexCompleted session event * [SSHD-400] - Ignore SFTP extension data in SSH_FXP_INIT message * [SSHD-401] - Allow user control over ScpCommand send/receive buffer size * [SSHD-403] - Lay down the groundwork for more event listeners * [SSHD-406] - Stop parsing pty-req modes for undefined opcodes * [SSHD-410] - Do not seek SshFile(s) input/output streams if requested offset is zero * [SSHD-411] - SSH_FX_OP_UNSUPPORTED should not be logged as error * [SSHD-414] - Make the source code (including tests) truly 1.5 compatible ** New Feature * [SSHD-371] - Support Socks proxy with ssh tunnelling on the client side * [SSHD-382] - Add support for custom properties on the command line for client and server * [SSHD-383] - Support for loading ecdsa keys in the client demo * [SSHD-390] - Support switching to a none cipher on the client side for performances ** Task * [SSHD-380] - Refactor tests to let the system choose the port instead of using getFreePort() which can lead to problems * [SSHD-381] - Wrong values used for SSH_FXP_OPEN flags ** Test * [SSHD-396] - Fixed SftpTest#testOpen to work correctly on Windows ** Wish * [SSHD-405] - Please review AbstractClientChannel @deprecated getter methods Guillaume Nodet
Re: SSHD Server subsystem supporting parameters?
No that's not supported. I think the correct way would be for the client to send arguments through the streams that are used to communicate with the subsystem. 2015-02-10 22:50 GMT+01:00 Wen, Bo b...@ciena.com: Hi, Is there a way for SSHD server subsystem to support extra parameters? For example, from SSH client: % ssh user@localhost -s netconf 10.1.1.1 Expecting: netconf is a subsystem name and 10.1.1.1 is a parameter. So, is there a way to pass in extra parameters to the subsystem? Currently it seems the whole string netconf 10.1.1.1 is treated as a subsystem name, and the match is via equal() ChannelSession.handleSubSystem() NamedFactory.Utils.create() If (f.getName().equals(name)) Anyway I can override this equals() matching to have my own matching? Or any other way? Thanks in advance! Bo
Re: SSHd restrict failed login attempts
Unfortunately, this counter is not publicly available. 2015-01-13 13:42 GMT+01:00 Simon Temple simon.tem...@amalto.com: Thank you Guillaume. Ideally I’d like to log an ERROR when a user reaches the MAX_AUTH_REQUESTS attempts. Any other time I’ll simply log a warning. Is there any way I can ask the session if the current authentication attempt is the last allowed request? … just trying to avoid having to track this in my code. Simon On 13 Jan 2015, at 11:52, Guillaume Nodet gno...@apache.org wrote: 2015-01-13 12:00 GMT+01:00 Simon Temple simon.tem...@amalto.com: I see that the MINA FtpServer can be configured with max-login-failures I’d like to configure our MINA SSHd server to behave a little more like the Linux sshd when hit with multiple failed login attempts. How could I do that? You can configure the ssh server with the ServerFactoryManager. MAX_AUTH_REQUESTS property. I’d also like to log information about the source of the failed attempts so a tool like fail2ban can take some action. However I can’t see how I can extract source IP details from the ServerSession presented to the Authenticator interface. session.getIoSession().getRemoteAddress() TIA Simon Temple Guillaume Nodet
Re: [Apache SSHD] list command problem for directories containing broken filelinks
Here's a fix for this problem: https://github.com/gnodet/mina-sshd/commit/36b224f58192b3cfc2cc112f473661f660931a6b I haven't pushed it to the official repo yet, but will do that tomorrow. 2014-11-19 22:11 GMT+01:00 Kowalski, Thomas thomas.kowal...@solers.com: Aaron, I tried what you described in your post with the latest version (0.13.0) and I also noticed this problem. If anyone on the development staff can provide any insight on this issue I would greatly appreciate it (i.e. Is this a known issue or are there plans to fix this). After installing the binary I downloaded from this site, I created a filelink that I could list when connect to the SFTP server. Then I broke the link and tried to list the same directory and received Couldn't read directory: Failure error message. Maybe there is a configuration value I have not stumbled upon that will address this issue? Tom -- --- Guillaume Nodet Red Hat, Open Source Integration Email: gno...@redhat.com Web: http://fusesource.com Blog: http://gnodet.blogspot.com/
Re: [mina-sshd] How to do `ssh -D` port forwarding with the SshClient
I've tried your setup using mina sshd, a native ssh client (ssh -Nn -D 1080 -p 8000 admin@localhost) and firefox with socks5 and it seems to work well, all http requests being routed through the ssh server. However, the socks protocol is not supported using mina sshd as a client (hence the use of the native ssh executable above). 2014-11-17 7:35 GMT+01:00 Jianbao (Jim) Tao jianbao@gmail.com: Hi, Does mina-sshd support `ssh -D` kind of port forwarding, as in ``` ssh -N -p 22 remote.server.host.name -D 1080 ``` If so, can someone kindly share some sample code, please? I really appreciate it. Best, Jim
Re: [mina-sshd] How to do `ssh -D` port forwarding with the SshClient
I played with socks a bit today and came up with this initial implementation: https://github.com/gnodet/mina-sshd/commit/3807bcf07655e7759ba08b42896f62708a4970c5 2014-11-17 11:30 GMT+01:00 Guillaume Nodet gno...@apache.org: I've tried your setup using mina sshd, a native ssh client (ssh -Nn -D 1080 -p 8000 admin@localhost) and firefox with socks5 and it seems to work well, all http requests being routed through the ssh server. However, the socks protocol is not supported using mina sshd as a client (hence the use of the native ssh executable above). 2014-11-17 7:35 GMT+01:00 Jianbao (Jim) Tao jianbao@gmail.com: Hi, Does mina-sshd support `ssh -D` kind of port forwarding, as in ``` ssh -N -p 22 remote.server.host.name -D 1080 ``` If so, can someone kindly share some sample code, please? I really appreciate it. Best, Jim
Re: How to set max count connections in sshd service.
Currently, we only have a max concurrent session per user, not a global one. It can be configured using: server.setProperty(ServerFactoryManager.MAX_CONCURRENT_SESSIONS, 1) to only accept a single session for each user. Unfortunately, there's no way to configure a global maximum number of sessions. If it's not sufficient for you, feel free to raise a JIRA issue to improve that. 2014-11-09 13:30 GMT+01:00 范华忠 fhzdzq1...@163.com: Dear my Friends: Now,I am using Apache SSHD of the version is 0.11.0. I would like restraint client connections count in the service. But I do not know whether to support Now. Looking forward to your reply. Thank you very much.
Re: OpenSSH integration
If you look at the main SshClient code, you'll see the main() method will do exactly that: https://github.com/apache/mina-sshd/blob/master/sshd-core/src/main/java/org/apache/sshd/SshClient.java#L443 2014-10-30 22:04 GMT+01:00 Rob Vesse rve...@dotnetrdf.org: Hey All Is anyone integrating SSHD with OpenSSH, specifically I would like to do the following: * Use the local ~/.ssh folder as a source of public keys for authenticating incoming connections * Use the public key from the ~/.ssh folder as the host key I found a gist (https://gist.github.com/jdennaho/5492130) which mostly solves the first one (though only copes with RSA keys) but I wondered if anyone else was doing anything else similar and had more robust solutions Thanks, Rob
Re: ClientSession.authPassword(user, pwd) documentation required
A plain IOException sent usually means an abnormal condition. A failed authentication should usually result in no exceptions, but a AuthFuture#isFailure() to return true or a SshException sent from AuthFuture#verify(). If the exception you see is an SshException, this means the server rejected the authentication for some reason. A simple reason is if password authentication has been disabled (this is very often the case, even if you log in with a password, it's usually the interactive authentication which is configured). If you hit this problem, I'd suggest moving to the newer authentication mechanism using client.addPasswordIdentity(xx); client.auth().verify(); which will be easier from a user point of view, as you won't have to deal with password/interactive stuff. Cheers, Guillaume Nodet 2014-10-27 10:18 GMT+01:00 Sapna Bhargava sapnabhargava...@gmail.com: Hi All, org.apache.sshd.ClientSession.authPassword() throws an IOException. I need to know the cause/scenario of this exception. Could anyone point me to the relevant documentation. reason : I want to put relevant error messages in my application, so that the user knows where the issue is. Thanks, Sapna
Re: SSHD Example
If you want more than simple unit tests, you can have a look at karaf for example: https://github.com/apache/karaf/blob/master/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java#L127 2014-10-16 20:17 GMT+02:00 Robert Middleton osfan6...@gmail.com: Does anybody have a working example of embedding SSHD into an application? The documentation from http://mina.apache.org/sshd-project/embedding_ssh.html is useless. Also, it would appear as though most of the download links (= SSHD 0.10.0) from the download page(http://mina.apache.org/sshd-project/downloads.html) -Robert Middleton
Re: SSHD Problems with SFTP
Ok, i understand now. Please raise a JIRA issue. I think there are a few things to review around that. 2014-09-26 15:56 GMT+02:00 Stefan Mueller stefan.muel...@menten.com: It did work. So the method isWritable() has to be called in truncate() as it is already done in other methods. And developers (me ;) ) have to make sure to call it in their implementation of SshFile. -- View this message in context: http://apache-mina.10907.n7.nabble.com/SSHD-Problems-with-SFTP-tp42625p44101.html Sent from the Apache MINA User Forum mailing list archive at Nabble.com.
Re: ChannelExec API Help required
You have 3 ways to use a client channel now: * direct : using setIn(), setOut() and setErr() before opening the channel https://github.com/apache/mina-sshd/blob/master/sshd-core/src/test/java/org/apache/sshd/ClientTest.java#L282 * inverted: using getInvertedIn(), getInvertedOut() and getInvertedErr() after the channel has been opened https://github.com/apache/mina-sshd/blob/master/sshd-core/src/test/java/org/apache/sshd/PortForwardingTest.java#L273 You can actually mix both direct and inverted, as it's a per stream case: https://github.com/apache/mina-sshd/blob/master/sshd-core/src/test/java/org/apache/sshd/ClientTest.java#L321 * async: it's a bit more complicated, but gives you asynchronous streams https://github.com/apache/mina-sshd/blob/master/sshd-core/src/test/java/org/apache/sshd/ClientTest.java#L172 2014-09-25 11:35 GMT+02:00 Sapna Bhargava sapnabhargava...@gmail.com: Hi All, Im using the Apache sshd-core ChannellExec API to execute command on a SSHClient. I need some documentation on how to set /read the input, output and error streams. Both the links below give me a 404 error : http://mina.apache.org/sshd-project/apidocs/org/apache/sshd/client/channel/class-use/ChannelExec.html http://mina.apache.org/sshd-project/apidocs/index.html?org/apache/sshd/client/channel/ChannelExec.html Any help would be appreciated. Thanks, Sapna
Re: Problem Using SFTP Client
Would you mind raising a JIRA for that ? This is a bug, as the the Closeeable interface specifies If the stream is already closed then invoking this method has no effect. Cheers, Guillaume 2014-09-22 4:18 GMT+02:00 George Sexton geor...@mhsoftware.com: On 9/20/2014 1:43 AM, Guillaume Nodet wrote: Can you bypass the call to close() for now and see if the file has been read correctly ? I have discovered the issue. StreamUtils.streamToString() instantiates an InputStreamReader(), and then closes it on completion. Evidently this is closing the underlying input stream. When I make a subsequent call to InputStream.close(), it throws error 2, no such file. That's kind of misleading. Also, and just fwiw, the client api can be used this way: session.addPasswordIdentity(m_password); session.auth().verify(); authenticated = true; 2014-09-20 6:28 GMT+02:00 George Sexton geor...@mhsoftware.com: On 9/19/2014 5:30 PM, George Sexton wrote: I'm having a problem using SFTP Client. I'm getting no such file. I've tried the relative path, and the absolute path. Here's the code: And just to add a little more info, I've looked at the SftpClient test code and I'm not seeing it. I started sshd in debug mode and here's what I'm seeing below. The part I don't understand is it doesn't look like the SFTP client is actually sending anything to the back end. It opens the SFTP subsystem, and then there's nothing more. debug1: sshd version OpenSSH_6.1p1 debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: read PEM private key done: type ECDSA debug1: private host key: #2 type 3 ECDSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-d' debug1: rexec_argv[2]='-p' debug1: rexec_argv[3]='1234' Set /proc/self/oom_score_adj from -1000 to -1000 debug1: Bind to port 1234 on 0.0.0.0. Server listening on 0.0.0.0 port 1234. debug1: Bind to port 1234 on ::. Server listening on :: port 1234. debug1: Server will not fork when running in debugging mode. debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from xx.xx.xx.xx port 60808 debug1: Client protocol version 2.0; client software version SSHD-CORE-0.12.1-SNAPSHOT debug1: no match: SSHD-CORE-0.12.1-SNAPSHOT debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.1 debug1: permanently_set_uid: 71/65 [preauth] debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug1: kex: client-server aes128-ctr hmac-sha2-256 none [preauth] debug1: kex: server-client aes128-ctr hmac-sha2-256 none [preauth] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received [preauth] debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth] debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth] debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: KEX done [preauth] debug1: userauth-request for user ft service ssh-connection method keyboard-interactive [preauth] debug1: attempt 0 failures 0 [preauth] debug1: PAM: initializing for ft debug1: PAM: setting PAM_RHOST to c-67-166-23-167.hsd1.co.comcast.net debug1: PAM: setting PAM_TTY to ssh debug1: keyboard-interactive devs [preauth] debug1: auth2_challenge: user=ft devs= [preauth] debug1: kbdint_alloc: devices 'pam' [preauth] debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] Postponed keyboard-interactive for ft from xx.xx.xx.xx port 60808 ssh2 [preauth] debug1: do_pam_account: called debug1: PAM: num PAM env strings 0 Postponed keyboard-interactive/pam for ft from xx.xx.xx.xx port 60808 ssh2 [preauth] debug1: do_pam_account: called Accepted keyboard-interactive/pam for ft from xx.xx.xx.xx port 60808 ssh2 debug1: monitor_read_log: child log fd closed debug1: monitor_child_preauth: ft has been authenticated by privileged process debug1: PAM: establishing credentials User child is on pid 2673 debug1: SELinux support disabled debug1: PAM: establishing credentials debug1: permanently_set_uid: 1002/65534 debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 2097152 max 32768 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request subsystem reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req subsystem subsystem request
Re: SSHD SshClient - should I reuse the same instance for multiple independent sessions?
Would you mind creating a JIRA and attaching your patch to it ? That's the usual way for patches and it's easier to keep track of those. Guillaume 2014-08-25 14:29 GMT+02:00 matthew.w.pi...@wellsfargo.com: Thank you for the input. I know what you mean about using addPasswordIdentity even for keyboard-interactive. But unfortunately, some of the devices we connect to do not use the standard 'password:' prompt. So the logic inside AuthUserKeyboardInteractive that just uses the available password identities doesn't pass the prompt check. Maybe another avenue would be to provide an 'allowed password prompts' property/option that can somehow be passed into AuthUserKeyboardInteractive. Then I could customize the prompts that will pass the check. If you get a chance, please check out my patch on the dev list that adds per-session UserInteractive support. I would greatly appreciate any feedback on it. Regards, -matt -Original Message- From: Guillaume Nodet [mailto:gno...@apache.org] Sent: Sunday, August 24, 2014 8:11 AM To: users@mina.apache.org Subject: Re: SSHD SshClient - should I reuse the same instance for multiple independent sessions? I think it would be better to use a single SshClient. All the threading / resource management has been designed with this use case, that's why you end up with lots of threads if you create a lot of those objects. For the authentication, I suppose you're not really prompting the user for the password if you create 10 to 50 sessions per seconds. So fwiw, you can use the ssh keyboard interactive authentication and feed the password without using the UserInteraction object, simply by calling addPasswordIdentity on the ClientSession. Those password identities will actually be used by the UserAuthKeyboardInteractive object if the server asks for a password, and when known passwords have failed, it will actually use the UserInteraction to prompt for the password. 2014-08-22 4:52 GMT+02:00 matthew.w.pi...@wellsfargo.com: Hey all, thanks for all the work that has gone into Mina/SSHD – great libraries! I have a codebase that is currently running quite well with SSHD v0.8.0, but I am looking to upgrade to 0.12.0 for some of the fixes/improvements that have come out since 0.8.0. For an overview of how I’m using SSHD - the system executes a 10-50 SSH commands – each in its own channel - to 2000 or so (and growing) devices every day. Some of the commands/channels will re-use an existing session by way of a keyed pooling system I have setup for the sessions. This all works quite well right now. The current model uses a single SshClient instance and spawns ALL sessions to each respective host from that same instance. This is true regardless of the details of each session (username, destination host, port, authentication, etc). This obviously avoids the need to call SshClient.setupDefaultClient() for each and every SSH session. I’m not sure if this is the recommended way, but again, it is working now. I am prototyping my code with 0.12.0 and refactoring some things to align with how I see the differences in the versions and I’ve run into a bit of conundrum. I want to take advantage of the keyboard-interactive support, which appears to be done by calling SshClient.setUserInteraction with an appropriate implementation. The problem is that with my shared-SshClient model it is not practical to give it a single UserInteraction implementation to support all subsequent sessions since the credentials aren’t known ‘ahead of time’ when the global SshClient is created. So, as part of my prototyping I have refactored my model to use an SshClient instance per session, thereby allowing me to provide a UserInteraction impl that is appropriate for each particular session. In my testing this seems to be work, but again, I’m not sure if this is the recommended approach. So my question is: when using SSHD for relatively short-lived sessions (a few minutes at a time) that are spawned in lots of different threads to different host+credential combinations (password, private key, etc.); is it appropriate for performance/scalability reasons to use a single SshClient instance to spawn each session? If this is true, then is there a suggested/recommended approach for dealing with keyboard-interactive using different credentials for each session from a single UserInteraction instance? OR - Is the creation of SshClient instances pretty inexpensive so it would then be OK to create a new SshdClient instance for each session where one can then set the UserInteraction impl appropriately? If this is true, what would be a good setting for the number of NIO threads to use for each SshClient instance in a system like this? The default, which AFAIK is CPU cores + 1, is a bit excessive I think for a system like mine that could be creating a few thousand sessions at any given time
Re: Checking if ssh session is connected
2014-08-05 12:58 GMT+02:00 Jorge Jordão jrjor...@yahoo.com.invalid: Hi, I am upgrading some code from sshd-core version 0.9.0 to 0.12.0. There's this method using clientSession.getState().equals(Session.State.Running) for determining whether the session is still active. I believe one of the purposes was to determine whether there had been a disconnection due to timeout or any server-side event. My questions 1) In 0.12.0 the ClientSession no longer provides a getState. What new approach should I follow? You need to register a SessionListener and react on sessionClosed() or use !session.isClosing() 2) Is this a proper way to check for timeout/server-side disconnection? Any preferable alternative? If you look at AbstractSession#doHandleMessage(), when receiving SSH_MSG_DISCONNECT, the code and reason are printed to the debug log, but you currently have no way to intercept those calls (only by overriding the class). If you need those, please raise a JIRA. Thanks -- Jorge Jordão
Re: sshd client streams
If you want to read the output or error streams, you can use getInvertedOut() and getInvertedErr() instead of using setOut() and setErr(). This will give you a blocking InputStream on the command output. 2014-07-21 11:41 GMT+02:00 Davide Gesino davideges...@gmail.com: I am developing a Command Line Interface simulator with sshd. I have some problems trying to understand how to use client side streams to interact with the server. I would like to have a client that sends a command to the server, then, blocks waiting for the response from the server: I would like to have a client that reads from the communication channel and block until the channel is full with something (a blocking read from the input stream would be great). How can I obtain such behaviour? I started modifying org.apache.sshd.ClientTest SshClient client = SshClient.setUpDefaultClient(); client.start(); ClientSession session = client.connect(localhost, port).await().getSession(); session.authPassword(smx, smx).await().isSuccess(); ClientChannel channel = session.createChannel(ClientChannel.CHANNEL_SHELL); ByteArrayOutputStream sent = new ByteArrayOutputStream(); PipedOutputStream pipedIn = new PipedOutputStream(); channel.setIn(new PipedInputStream(pipedIn)); OutputStream teeOut = new TeeOutputStream(sent, pipedIn); ByteArrayOutputStream out = new ByteArrayOutputStream(); ByteArrayOutputStream err = new ByteArrayOutputStream(); channel.setOut(out); channel.setErr(err); channel.open(); teeOut.write(this is my command\n.getBytes()); teeOut.flush(); but I Was not able to obtain the desired effect. thanks Davide
Re: Security Question
It should be safe as all execution of code are forbidden for users. 2014-07-21 17:21 GMT+02:00 Haripada Bhowmick haripada.bhowm...@gmail.com: Team, I want to setup Apache SSHD Server in my Linux box . Few of my clients will be using SSH Tunnel using my Linux BOX. My aim is to ENABLE port forwarding ONLY , for those users. At any cost I don't want them to execute any command to hack my server. In order to do that I set *sshd.setShellFactory(null);* * sshd.setCommandFactory(null); * Now using following code I can do SSH tunnel..But I can not use PUTTY to execute any command as expected. It looks good and full proof to me . *Can you please tell : * *Is there any security whole which is going unattended and hacker can take control of my server. Because I will provide Apache SSHD user id password to various people.* Thank you Harry = CODE == public class sshServer { public static SshServer sshd = null; public static SessionFactory sessFactory = null; // public static ProcessShellFactory shell = null; public static void main(String[] args) throws InterruptedException, IOException { SshServer sshd = SshServer.setUpDefaultServer(); sshd.setPort(22); sshd.setKeyPairProvider(new SimpleGeneratorHostKeyProvider( hostkey.ser)); /* * sshd.setShellFactory(new ProcessShellFactory(new String[] { * /bin/sh, -i, -l })); */ /* * sshd.setShellFactory(new ProcessShellFactory( new String[] { * cmd.exe }, EnumSet.of( ProcessShellFactory.TtyOptions.Echo, * ProcessShellFactory.TtyOptions.ICrNl, * ProcessShellFactory.TtyOptions.ONlCr))); */ // ## ### *IMPORTANT*: DISABLE IT - // ### sshd.setShellFactory(null); sshd.setCommandFactory(null); // ## DISABLE IT -- sshd.setTcpipForwardingFilter(new ForwardingFilter() { public boolean canForwardAgent(Session session) { return false; } public boolean canForwardX11(Session session) { return false; } public boolean canListen(SshdSocketAddress address, Session session) { return false; } public boolean canConnect(SshdSocketAddress address, Session session) { return true; } }); sshd.setPasswordAuthenticator(new PasswordAuthenticator() { @Override public boolean *authenticate*(String usr, String pss, ServerSession arg2) { if (usr.equals(*specialuser*) pss.equals(*specialpass*)) return true; return false; } }); sshd.start(); } ===
Re: SSHD Problems with SFTP
The empty file must be caused by the truncate flag on the SSH_FXP_OPEN command. It looks like the flags passed are SSH_FXF_CREAT | SSH_FXF_TRUNC. I think you're right that if the user does not have write permission on the file, the truncate will still be done, so that's definitely a bug. If you could raise a JIRA, i'll try to fix that. For the exception, it may be that the client abruptely close the connection, because i don't see the channel close related messages being exchanged. But the only effect is that it will force closing the connection on the server side, so that should not be an issue. Guillaume Nodet 2014-07-07 12:33 GMT+02:00 Stefan Mueller stefan.muel...@menten.com: I have two problems with SFTP that I can not chase down. I hope you can help me by looking at the server log, because I could not get a simple working example yet. The first problem is a big one. The content of a file gets deleted if the user has no write permission and he tries to write. I used break points to find where the content gets deleted, but could not find it. *Step 1)* FileZilla: Open/Edit file *Step 2)* Edi the file. Save the file. Upload the file. *Step 3)* Server LOG: [pool-2-thread-3] DEBUG org.apache.sshd.common.io.nio2.Nio2Session - Read 80 bytes [pool-2-thread-3] DEBUG org.apache.sshd.server.channel.ChannelSession - Received SSH_MSG_CHANNEL_DATA on channel ChannelSession[id=0, recipient=256] [Thread-3] DEBUG org.apache.sshd.server.sftp.SftpSubsystem - Received SSH_FXP_REALPATH (path=/test/test.txt) [Thread-3] DEBUG org.apache.sshd.server.channel.ChannelSession - Send SSH_MSG_CHANNEL_DATA on channel 0 [Thread-3] DEBUG org.apache.sshd.common.io.nio2.Nio2Session - Writing 176 bytes [pool-2-thread-4] DEBUG org.apache.sshd.common.io.nio2.Nio2Session - Read 96 bytes [pool-2-thread-4] DEBUG org.apache.sshd.server.channel.ChannelSession - Received SSH_MSG_CHANNEL_DATA on channel ChannelSession[id=0, recipient=256] [pool-2-thread-5] DEBUG org.apache.sshd.common.io.nio2.Nio2Session - Finished writing [Thread-3] DEBUG org.apache.sshd.server.sftp.SftpSubsystem - Received SSH_FXP_OPEN (path=/test/test.txt, pflags=26, attrs={}) [Thread-3] DEBUG org.apache.sshd.server.channel.ChannelSession - Send SSH_MSG_CHANNEL_DATA on channel 0 [Thread-3] DEBUG org.apache.sshd.common.io.nio2.Nio2Session - Writing 112 bytes [pool-2-thread-1] DEBUG org.apache.sshd.common.io.nio2.Nio2Session - Finished writing [pool-2-thread-2] DEBUG org.apache.sshd.common.io.nio2.Nio2Session - Read 128 bytes [pool-2-thread-2] DEBUG org.apache.sshd.server.channel.ChannelSession - Received SSH_MSG_CHANNEL_DATA on channel ChannelSession[id=0, recipient=256] [Thread-3] DEBUG org.apache.sshd.server.sftp.SftpSubsystem - Received SSH_FXP_WRITE (handle=cc0e88bc-c028-45b1-aa55-f01787135b61, offset=0, data=byte[8]) [Thread-3] INFO sftp.filesystem.SshFtpFile - Checking authorization for /test/test.txt [Thread-3] INFO sftp.filesystem.SshFtpFile - Not authorized [Thread-3] DEBUG org.apache.sshd.server.sftp.SftpSubsystem - Send SSH_FXP_STATUS (substatus=4, msg=No write permission : test.txt) [Thread-3] DEBUG org.apache.sshd.server.channel.ChannelSession - Send SSH_MSG_CHANNEL_DATA on channel 0 [Thread-3] DEBUG org.apache.sshd.common.io.nio2.Nio2Session - Writing 128 bytes *Step 4)* Break point at following method: SshFtpFile.createOutputStream(...) { // File is already empty! // Then it checks write permission if( isWritable() ) {...} } The second problem is an IOException thrown when the connection is closed normally. No further problems occur. Only this message in the logs. What is the issue? *Step 1)* Normal disconnect from FileZilla or closing the server. *Step 2)* Server LOG: [pool-2-thread-3] DEBUG org.apache.sshd.server.channel.ChannelSession - Received SSH_MSG_CHANNEL_DATA on channel ChannelSession[id=0, recipient=256] [Thread-2] DEBUG org.apache.sshd.server.sftp.SftpSubsystem - Received SSH_FXP_READDIR (handle=cc0370bd-5173-40ce-b1a9- 6c5d68bc05dd) [Thread-2] DEBUG org.apache.sshd.server.sftp.SftpSubsystem - Send SSH_FXP_STATUS (substatus=1, msg=) [Thread-2] DEBUG org.apache.sshd.server.channel.ChannelSession - Send SSH_MSG_CHANNEL_DATA on channel 0 [Thread-2] DEBUG org.apache.sshd.common.io.nio2.Nio2Session - Writing 96 bytes [pool-2-thread-4] DEBUG org.apache.sshd.common.io.nio2.Nio2Session - Read 112 bytes [pool-2-thread-1] DEBUG org.apache.sshd.common.io.nio2.Nio2Session - Finished writing [pool-2-thread-4] DEBUG org.apache.sshd.server.channel.ChannelSession - Received SSH_MSG_CHANNEL_DATA on channel ChannelSession[id=0, recipient=256] [Thread-2] DEBUG org.apache.sshd.server.sftp.SftpSubsystem - Received SSH_FXP_CLOSE (handle=cc0370bd-5173-40ce-b1a9- 6c5d68bc05dd) [Thread-2] DEBUG org.apache.sshd.server.sftp.SftpSubsystem - Send SSH_FXP_STATUS (substatus=0, msg=) [Thread-2] DEBUG
Re: SSHD Server Settings
There's no integration between FtpServer and Sshd, so you can't reuse the user manager in SSHD. SSHD supports max-concurrent-sessions (max number of sshd connections per username) and idle-timeout settings though. IP filtering may be implemented using a SessionListener. The other ones would have to be implemented somehow... However, those are global settings and not available per user at the moment. 2014-06-26 11:27 GMT+02:00 Stefan Mueller stefan.muel...@menten.com: I want to set up a server for SFTP with code. I found some examples and code snippets to start but I still have some problems. The user manager from FtpServer is reused in my project. How can I use the Maximum Connection, Maximum Connection Per IP, Maximum Idle Time, Speed Limit (Up and Down) and an IP Filter? I want to do this for each user and on the server. Or as a general question: What settings are possible to use and how do I use them in the code? I am only looking for SFTP. Everything else (like shell) is not needed. -- View this message in context: http://apache-mina.10907.n7.nabble.com/SSHD-Server-Settings-tp42548.html Sent from the Apache MINA User Forum mailing list archive at Nabble.com.
Re: sshd - async interface
For my curiosity, what kind of interface are you using for async ? 2014-06-29 11:02 GMT+02:00 Alon Bar-Lev alon.bar...@gmail.com: Hi, Thank you for adding this, I can understand how it works, and it will provide a service for async that is written from scratch. I tried to evaluate the amount of changes that required in my simple case to use this interface and currently it is much too large, so I will not be able to actually use it in the near future. Thanks! Alon On Fri, Jun 6, 2014 at 9:48 AM, Guillaume Nodet gno...@apache.org wrote: I've enhanced SSHD to be able to provide fully non-blocking io on both client channels and server commands. A client side example is shown at https://github.com/apache/mina-sshd/blob/master/sshd-core/src/test/java/org/apache/sshd/ClientTest.java#L171 A server side example: https://github.com/apache/mina-sshd/blob/master/sshd-core/src/test/java/org/apache/sshd/util/AsyncEchoShellFactory.java I would appreciate any input ... 2014-04-20 0:33 GMT+02:00 Alon Bar-Lev alon.bar...@gmail.com: On Sun, Apr 20, 2014 at 1:19 AM, Guillaume Nodet gno...@apache.org wrote: 2014-04-19 20:43 GMT+02:00 Alon Bar-Lev alon.bar...@gmail.com: On Sat, Apr 19, 2014 at 9:15 PM, Guillaume Nodet gno...@apache.org wrote: Sshd internally uses nio2 by default, which is not based on selectors, but non blocking operations. On the client part of SSHD, things are mostly asynchronous already: #1 SshClient#connect returns a future on which you can set a callback and that you can use to retrieve the ClientSession asynchronously #2 You need to use ClientSession#addXxxIdentity and then ClientSession#auth which is also asynchronous #3 You then create a channel, and actually operning the channel is also asynchronous #4 Closing channels is also asynchronous I think the only missing part is really the streams on the ClientChannel which are using InputStream and OutputStream. If we replace them with an AsynchronousByteChannel, I think we would be fully async. Thank you for your response, Our definition of async is very different... :) I do not think this module is sufficient to what I target. I see the number of threads created within the library core and the logic that is out of reach. This ssh library is great, splitting it into two logic only and communication layers will enable to go fully async. The logic layer should not have any thread. A default implementation of communication layer can be provided, but is optional. The difference from the world I coming for is that Future handling is much more complex than having control queue. Not sure exactly what you're talking about here. Afaik, the only place where the ssh layer actually create a thread in when creating a client ChannelSession giving an InputStream which has to be read. This thread creation can be easily avoided by using ClientChannel#getInvertedIn() and writing to it. All other threads are communication threads only and are fully controlled by the IoService layer which is pluggable. Both mina and nio2 implementations use a fixed number of threads. But you can rewrite it if you need. I'm all for improving sshd, but I fear i'm not really seeing your points clearly. Thank you for the discussion, I truly appreciate that. Having a method for async input/output of data stream will be a good start within current implementation. Other than that it is a programming pattern discussion. I got the information I needed, thank you! Was just an idea, thank you for addressing. 2014-04-19 15:57 GMT+02:00 Alon Bar-Lev alon.bar...@gmail.com: On Sat, Apr 19, 2014 at 3:52 PM, Jon V. sybersn...@gmail.com wrote: NIO controls and deals with the selectors. Async IO is a part of that but is not the same thing. Async io means that if a write cannot be fully flushed. It will not block until it can be. NIO provides us the events to tell us that data is available in the socket. Async IO is the ability for a single thread to perform (multiplex) IO (connect, read, write, close etc..) for multiple file descriptors. As far as I know, without NIO you cannot achieve that in Java. There is no sense in read or write without blocking if you cannot wait (vs actively poll) for an event. On Apr 19, 2014 4:56 AM, Alon Bar-Lev alon.bar...@gmail.com wrote: On Sat, Apr 19, 2014 at 10:58 AM, Emmanuel Lécharny elecha...@gmail.com wrote: Le 4/19/14 9:45 AM, Alon Bar-Lev a écrit : On Sat, Apr 19, 2014 at 10:38 AM, Emmanuel Lécharny elecha...@gmail.com wrote: Le 4/19/14 9:13 AM, Alon Bar-Lev a écrit : Hi, The mission of async is to avoid having threads
Re: Trouble with SFTP resume upload
Good catch ! Could you please raise a JIRA for this issue ? I think your proposal is correct. 2014-06-14 2:49 GMT+02:00 Michael Benovich m...@hostedftp.com: Hi, I very recently began using SSHD to run my own SFTP server. I am running version 0.11.0 and I am having trouble resuming uploads with FileZilla as my client. The problem I am having is with the write method inside org.apache.sshd.server.sftp.SftpSubsystem (code shown below). When the resume upload begins, offset is some value greater than zero and output is null, so we call file.createOutputStream(offset) and append 16K bytes of data to the end of the file. The issue is that because outputPos = 0 on the first call, the condition offset != outputPos is true and causes the output stream to be closed and then re-created every time this method is called. In my testing, this method is called repeatedly with 16K bytes of data until the file upload has completed. My implementation of file.createOutputStream(offset) is such that I only want to call it once when the resume upload begins. I cannot have this method called repeatedly. I propose that if I were to insert one line between 268 and 269 this would be resolved: 268.5 -- outputPos = offset; So after the output stream is created on line 268, initialize outputPos to be equal to offset. Then, the condition on line 263 will be false on the second call to write (and all subsequent calls) and the data can be uploaded 16K bytes at a time without needing to re-create the output stream. Does this seem valid? Would it be applicable to everyone or only to me due to my implementation of createOutputStream(offset) ? Thanks, Mike 262 public void write(byte[] data, long offset) throws IOException { 263 if (output != null offset != outputPos) { 264 IoUtils.closeQuietly(output); 265 output = null; 266 } 267 if (output == null) { 268 output = file.createOutputStream(offset); 269 } 270 output.write(data); 271 outputPos += data.length; 272 } -- Mike Hosted~FTP~ FTP in the Cloud www.hostedftp.com 1-855-888-4FTP (4387)
Re: sshd - async interface
I've enhanced SSHD to be able to provide fully non-blocking io on both client channels and server commands. A client side example is shown at https://github.com/apache/mina-sshd/blob/master/sshd-core/src/test/java/org/apache/sshd/ClientTest.java#L171 A server side example: https://github.com/apache/mina-sshd/blob/master/sshd-core/src/test/java/org/apache/sshd/util/AsyncEchoShellFactory.java I would appreciate any input ... 2014-04-20 0:33 GMT+02:00 Alon Bar-Lev alon.bar...@gmail.com: On Sun, Apr 20, 2014 at 1:19 AM, Guillaume Nodet gno...@apache.org wrote: 2014-04-19 20:43 GMT+02:00 Alon Bar-Lev alon.bar...@gmail.com: On Sat, Apr 19, 2014 at 9:15 PM, Guillaume Nodet gno...@apache.org wrote: Sshd internally uses nio2 by default, which is not based on selectors, but non blocking operations. On the client part of SSHD, things are mostly asynchronous already: #1 SshClient#connect returns a future on which you can set a callback and that you can use to retrieve the ClientSession asynchronously #2 You need to use ClientSession#addXxxIdentity and then ClientSession#auth which is also asynchronous #3 You then create a channel, and actually operning the channel is also asynchronous #4 Closing channels is also asynchronous I think the only missing part is really the streams on the ClientChannel which are using InputStream and OutputStream. If we replace them with an AsynchronousByteChannel, I think we would be fully async. Thank you for your response, Our definition of async is very different... :) I do not think this module is sufficient to what I target. I see the number of threads created within the library core and the logic that is out of reach. This ssh library is great, splitting it into two logic only and communication layers will enable to go fully async. The logic layer should not have any thread. A default implementation of communication layer can be provided, but is optional. The difference from the world I coming for is that Future handling is much more complex than having control queue. Not sure exactly what you're talking about here. Afaik, the only place where the ssh layer actually create a thread in when creating a client ChannelSession giving an InputStream which has to be read. This thread creation can be easily avoided by using ClientChannel#getInvertedIn() and writing to it. All other threads are communication threads only and are fully controlled by the IoService layer which is pluggable. Both mina and nio2 implementations use a fixed number of threads. But you can rewrite it if you need. I'm all for improving sshd, but I fear i'm not really seeing your points clearly. Thank you for the discussion, I truly appreciate that. Having a method for async input/output of data stream will be a good start within current implementation. Other than that it is a programming pattern discussion. I got the information I needed, thank you! Was just an idea, thank you for addressing. 2014-04-19 15:57 GMT+02:00 Alon Bar-Lev alon.bar...@gmail.com: On Sat, Apr 19, 2014 at 3:52 PM, Jon V. sybersn...@gmail.com wrote: NIO controls and deals with the selectors. Async IO is a part of that but is not the same thing. Async io means that if a write cannot be fully flushed. It will not block until it can be. NIO provides us the events to tell us that data is available in the socket. Async IO is the ability for a single thread to perform (multiplex) IO (connect, read, write, close etc..) for multiple file descriptors. As far as I know, without NIO you cannot achieve that in Java. There is no sense in read or write without blocking if you cannot wait (vs actively poll) for an event. On Apr 19, 2014 4:56 AM, Alon Bar-Lev alon.bar...@gmail.com wrote: On Sat, Apr 19, 2014 at 10:58 AM, Emmanuel Lécharny elecha...@gmail.com wrote: Le 4/19/14 9:45 AM, Alon Bar-Lev a écrit : On Sat, Apr 19, 2014 at 10:38 AM, Emmanuel Lécharny elecha...@gmail.com wrote: Le 4/19/14 9:13 AM, Alon Bar-Lev a écrit : Hi, The mission of async is to avoid having threads at all, or at least O(1). As you have underline internal/private low level channels for socket processing, and public high level channels to communicate with application, there should be a mechanism for library to request wake up for these low level channels. Another option is to avoid using sockets at all within the implementation and require application to manage the sockets and pipe socket data into the library. I understand this is conceptional change than what we have now, but this what will enable scale without abusing system threads or have nondeterministic behaviour in high load
Re: Load issue in apache SSHD when using ChannelDirectTcpip
The second problem is entirely caused by the way you send and read the data (and consequently by the fact that the server echoes the incoming data). The SSH protocol uses windows for flow-control, so when the remote window is full, the client or server will stop sending more data. To work around the problem, you simply need to make sure the data is consumed. On the client side you simply need to start a thread to read the input stream and it should unblock the server and thus the client sending side. 2014-05-15 7:46 GMT+02:00 Maheedhar maheedha...@in.fiorano.com: HI Our requirement is that we send bytes of any size through a server and handling that will not serve the purpose Like u said in the second problem that you pointed out, If u feel the problem is because , we are trying to echo the data from the server side. Is there any other way to do this by avoiding this echo overhead If so,Please point me to the classes that will help me solve the issue. Thanks in advance Maheedhar -- View this message in context: http://apache-mina.10907.n7.nabble.com/Load-issue-in-apache-SSHD-when-using-ChannelDirectTcpip-tp42155p42178.html Sent from the Apache MINA User Forum mailing list archive at Nabble.com.
Re: Load issue in apache SSHD when using ChannelDirectTcpip
I think there are 2 problems here. The first one seems to be a bug in TcpipServerChannel (the SSH protocol has a windowing mechanism to avoid flooding one side and this is not handled properly in that class). It's a one-line fix though, so if you want to test it, you simply need to add localWindow.consumeAndCheck(len); into TcpipServerChannel#doWriteData I've raised SSHD-321 for the above issue. However, i think there is a second problem in your code. Due to the above windowing mechanism, and given your server simply echoes back, the server itself may be stuck waiting for some space. That's because your client side does not consume the input stream until after having written all the data. So that needs to be changed in some way in your code. Cheers, Guillaume Nodet 2014-05-12 8:25 GMT+02:00 Maheedhar maheedha...@in.fiorano.com: server.java http://apache-mina.10907.n7.nabble.com/file/n42155/server.java The above file is the server code client.java http://apache-mina.10907.n7.nabble.com/file/n42155/client.java This is the client code I sent a large amount of bytes, by reading a jpeg image at the client side and I sent the bytes through to the server. At the server side, When I debugged, I could see that all the bytes are received in the messageReceived() method of the NioSocketAcceptor instance named acceptor in line 68 of ther server code. But once the bytes are sent from there , I did not receive them again at the client side Note that before sending such a large amount of bytes, I have sent small number of bytes in the line channel.getOut().write(Hello.getBytes()); from the client, which is properly received at the server side and again forwarded to the client side Only when I send such a huge load , I am not receiving any bytes back at the client side -- View this message in context: http://apache-mina.10907.n7.nabble.com/Load-issue-in-apache-SSHD-when-using-ChannelDirectTcpip-tp42155.html Sent from the Apache MINA User Forum mailing list archive at Nabble.com.
Re: apache-sshd-0.11.0
The vote has been closed and the release published. I've updated the website ( http://svn.apache.org/viewvc?view=revisionrevision=r1589029), not sure why it does not show the latest content though. 2014-05-04 1:35 GMT+02:00 Emmanuel Lécharny elecha...@gmail.com: Le 5/3/14 11:56 PM, Alon Bar-Lev a écrit : Hi, Was this released? I see the tag, I see this in maven central[2]. I do not see this in downloads[3] I do see this on mirrors. AFAICT, the vote has been started on april, 14, but was never closed. May be Guillaume forgot to close it ? -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: sshd - running interactive scripts
I just tried your script using the following command: ssh localhost sh /Users/gnodet/work/tmp/myscript.sh and I don't see the prompt either, so it may be the read command bypassing the prompt when the input stream is not the console. You could try the following: #!/bin/sh echo Welcome echo -n Please input your age: read age echo You are $age years old For the backspace, I think it's the same problem and read bypasses readline if the input stream is not the console. One limitation of sshd is about pty allocation : we can't use things such as http://man7.org/linux/man-pages/man3/openpty.3.html so the only way to have real interactive sessions is to have the input stream handled in java using jline for example. Unless you find a command that can be interactive without using a real pseudo-terminal. 2014-04-29 19:02 GMT+02:00 Alexandre Gattiker agatti...@gmail.com: Hello, Is it possible to run interactive shell scripts using Apache SSHD? My attempt was not very successful. Java code: SshServer sshd = SshServer.setUpDefaultServer(); sshd.setPort(45121); String hostKey = new File(App.class.getResource(hostkey.pem).toURI()).getAbsolutePath(); sshd.setKeyPairProvider(new SimpleGeneratorHostKeyProvider(hostKey)); sshd.setShellFactory(new ProcessShellFactory(new String[] { sh, myscript.sh }, EnumSet.of(TtyOptions.ONlCr, TtyOptions.ICrNl, TtyOptions.Echo))); ListNamedFactoryUserAuth userAuthFactories = new ArrayListNamedFactoryUserAuth(); userAuthFactories.add(new UserAuthPassword.Factory()); sshd.setUserAuthFactories(userAuthFactories); sshd.setPasswordAuthenticator(new PasswordAuthenticator() { public boolean authenticate(String username, String password, ServerSession session) { return true; } }); sshd.start(); myscript.sh: #!/bin/sh echo Welcome read -p Please input your age: age echo You are $age years old The output of an SSH connection is only Welcome (the prompt does not appear). Then, I can input a value and the characters are echoed, but backspace doesn't work. Thanks in advance, Alexandre
Re: Data on stdin does not get transferred - stdout+stderr work fine
Sure, that's a good suggestion. Could you please raise a Jira issue ? Le lundi 21 avril 2014, Matthew DeVore matv...@gmail.com a écrit : Aha, my problem was that I was trying to read from stdin before returning from my Command.start() implementation. If I call new-connection-fn on a separate thread, it works. Would it be reasonable to either 1) throw an exception if anyone tries to read/write a stream before returning from start() or 2) allow reading from stdin rather than blocking forever? The current behavior is confusing. This is the fix: https://github.com/matvore/hesokuri/commit/5cb13e0a81d7ece6aebdf5c635d150bac1719bf1 2014-04-20 7:05 GMT-07:00 Matthew DeVore matv...@gmail.com javascript:; : That doesn't appear to be the problem. The spit function creates a Writer around the input stream and then closes it, which should get the underlying InputStream closed and flushed. Just to make sure, I tried this in place of spit: (.write client-in (int \newline)) (.flush client-in) And added a logging call inside the loop in read-line-stream to see if any character made it through, but the deadlock still happens at the same spot, and not even one character makes it through. 2014-04-20 0:43 GMT-07:00 Guillaume Nodet gno...@apache.org: The getInvertedIn() output stream is buffered. If you want to actually send a small amount of data, you need to call flush() after writing to the stream. Happy Easter, Guillaume Nodet 2014-04-20 5:15 GMT+02:00 Matthew DeVore matv...@gmail.com: Hi, I'm trying to integrate Apache SSHD with my app and am running into a strange issue. I can establish a connection and open a channel on a subsystem, and then get the InputStreams and OutputStreams that correspond to it. Data transferred over stderr and stdout seem to get transferred, but anything written to stdin by the client is not getting to the server. The client and server are both on localhost and using the SSHD library. I've written two unit tests to demonstrate this - one that passes (connect-stdout-stderr) and one that deadlocks (connect-stdin). The code is in Clojure. I'd be very grateful if someone could point me in the right direction to fix the failing test. Thank you, Matt *Application code*: https://github.com/matvore/hesokuri/blob/4d591abe22a3c24e8756b1316ef763be86b55225/src/hesokuri/ssh.clj *Tests*: https://github.com/matvore/hesokuri/blob/4d591abe22a3c24e8756b1316ef763be86b55225/test/hesokuri/test_hesokuri/ssh.clj *Test log output:* 19:41:38:matvore-macbookpro2:~/hesokuri$ lein test :only hesokuri.test-hesokuri.ssh/connect-stdin lein test hesokuri.test-hesokuri.ssh Apr 19, 2014 7:51:41 PM org.apache.sshd.common.util.SecurityUtils$BouncyCastleRegistration run 資訊: Trying to register BouncyCastle as a JCE provider Apr 19, 2014 7:51:42 PM org.apache.sshd.common.util.SecurityUtils$BouncyCastleRegistration run 資訊: Registration succeeded Apr 19, 2014 7:51:42 PM org.apache.sshd.client.session.ClientSessionImpl init 資訊: Client session created Apr 19, 2014 7:51:42 PM org.apache.sshd.server.session.ServerSession init 資訊: Server session created from /127.0.0.1:63408 Apr 19, 2014 7:51:42 PM org.apache.sshd.client.session.ClientSessionImpl readIdentification 資訊: Server version string: SSH-2.0-SSHD-CORE-0.10.1 Apr 19, 2014 7:51:42 PM org.apache.sshd.common.session.AbstractSession negotiate 資訊: Kex: server-client aes128-ctr hmac-sha2-256 none Apr 19, 2014 7:51:42 PM org.apache.sshd.common.session.AbstractSession negotiate 資訊: Kex: client-server aes128-ctr hmac-sha2-256 none Apr 19, 2014 7:51:42 PM org.apache.sshd.common.session.AbstractSession negotiate 資訊: Kex: server-client aes128-ctr hmac-sha2-256 none Apr 19, 2014 7:
Re: Data on stdin does not get transferred - stdout+stderr work fine
I did. Feel free to add any comment. Le lundi 21 avril 2014, Matthew DeVore matv...@gmail.com a écrit : Did you already raise one? I saw this: https://issues.apache.org/jira/browse/SSHD-312 2014-04-20 23:25 GMT-07:00 Guillaume Nodet gno...@apache.orgjavascript:; : Sure, that's a good suggestion. Could you please raise a Jira issue ? Le lundi 21 avril 2014, Matthew DeVore matv...@gmail.com javascript:; a écrit : Aha, my problem was that I was trying to read from stdin before returning from my Command.start() implementation. If I call new-connection-fn on a separate thread, it works. Would it be reasonable to either 1) throw an exception if anyone tries to read/write a stream before returning from start() or 2) allow reading from stdin rather than blocking forever? The current behavior is confusing. This is the fix: https://github.com/matvore/hesokuri/commit/5cb13e0a81d7ece6aebdf5c635d150bac1719bf1 2014-04-20 7:05 GMT-07:00 Matthew DeVore matv...@gmail.comjavascript:; javascript:; : That doesn't appear to be the problem. The spit function creates a Writer around the input stream and then closes it, which should get the underlying InputStream closed and flushed. Just to make sure, I tried this in place of spit: (.write client-in (int \newline)) (.flush client-in) And added a logging call inside the loop in read-line-stream to see if any character made it through, but the deadlock still happens at the same spot, and not even one character makes it through. 2014-04-20 0:43 GMT-07:00 Guillaume Nodet gno...@apache.org: The getInvertedIn() output stream is buffered. If you want to actually send a small amount of data, you need to call flush() after writing to the stream. Happy Easter, Guillaume Nodet 2014-04-20 5:15 GMT+02:00 Matthew DeVore matv...@gmail.com: Hi, I'm trying to integrate Apache SSHD with my app and am running into a strange issue. I can establish a connection and open a channel on a subsystem, and then get the InputStreams and OutputStreams that correspond to it. Data transferred over stderr and stdout seem to get transferred, but anything written to stdin by the client is not getting to the server. The client and server are both on localhost and using the SSHD library. I've written two unit tests to demonstrate this - one that passes (connect-stdout-stderr) and one that deadlocks (connect-stdin). The code is in Clojure. I'd be very grateful if someone could point me in the right direction to fix the failing test. Thank you, Matt *Application code*: https://github.com/matvore/hesokuri/blob/4d591abe22a3c24e8756b1316ef763be86b55225/src/hesokuri/ssh.clj *Tests*: https://github.com/matvore/hesokuri/blob/4d591abe22a3c24e8756b1316ef763be86b55225/test/hesokuri/test_hesokuri/ssh.clj *Test log output:* 19:41:38:matvore-macbookpro2:~/hesokuri$ lein test :only hesokuri.test-hesokuri.ssh/connect-stdin lein test hesokuri.test-hesokuri.ssh Apr 19, 2014 7:51:41 PM org.apache.sshd.common.util.SecurityUtils$BouncyCastleRegistration run 資訊: Trying to register BouncyCastle as a JCE provider Apr 19, 2014 7:51:42 PM org.apache.sshd.common.util.SecurityUtils$BouncyCastleRegistration run 資訊: Registration succeeded Apr 19, 2014 7:51:42 PM org.apache.sshd.client.session.ClientSessionImpl init 資訊: Client session created Apr 19, 2014 7:51:42 PM org.apache.sshd.server.session.ServerSession init 資訊: Server sessio
Re: sshd - async interface
The asynchronous interface is an interesting idea. Though I'm not sure the using selectors is the best and I'd rather try to change the input/output streams ChannelInput/OutputStream so that ClientChannel returns AsynchronousByteChannel instead. I think we need both sync and async interfaces for the client, depending on the use case. 2014-04-18 1:26 GMT+02:00 Alon Bar-Lev alon.bar...@gmail.com: Hi, Are there any plans to support async interface for the sshd package? Enable single/multi threaded implementation based on nio, in which selector is left within the program main? The library can return a set of events to wait for including timeout, so that main program can wait for these among other events it requires. The interaction between channel and program can be based on selectable channel as well, so that program may send/receive data via ssh protocol being completely async. Regards, Alon Bar-Lev
Re: sshd - async interface
2014-04-19 20:43 GMT+02:00 Alon Bar-Lev alon.bar...@gmail.com: On Sat, Apr 19, 2014 at 9:15 PM, Guillaume Nodet gno...@apache.org wrote: Sshd internally uses nio2 by default, which is not based on selectors, but non blocking operations. On the client part of SSHD, things are mostly asynchronous already: #1 SshClient#connect returns a future on which you can set a callback and that you can use to retrieve the ClientSession asynchronously #2 You need to use ClientSession#addXxxIdentity and then ClientSession#auth which is also asynchronous #3 You then create a channel, and actually operning the channel is also asynchronous #4 Closing channels is also asynchronous I think the only missing part is really the streams on the ClientChannel which are using InputStream and OutputStream. If we replace them with an AsynchronousByteChannel, I think we would be fully async. Thank you for your response, Our definition of async is very different... :) I do not think this module is sufficient to what I target. I see the number of threads created within the library core and the logic that is out of reach. This ssh library is great, splitting it into two logic only and communication layers will enable to go fully async. The logic layer should not have any thread. A default implementation of communication layer can be provided, but is optional. The difference from the world I coming for is that Future handling is much more complex than having control queue. Not sure exactly what you're talking about here. Afaik, the only place where the ssh layer actually create a thread in when creating a client ChannelSession giving an InputStream which has to be read. This thread creation can be easily avoided by using ClientChannel#getInvertedIn() and writing to it. All other threads are communication threads only and are fully controlled by the IoService layer which is pluggable. Both mina and nio2 implementations use a fixed number of threads. But you can rewrite it if you need. I'm all for improving sshd, but I fear i'm not really seeing your points clearly. Was just an idea, thank you for addressing. 2014-04-19 15:57 GMT+02:00 Alon Bar-Lev alon.bar...@gmail.com: On Sat, Apr 19, 2014 at 3:52 PM, Jon V. sybersn...@gmail.com wrote: NIO controls and deals with the selectors. Async IO is a part of that but is not the same thing. Async io means that if a write cannot be fully flushed. It will not block until it can be. NIO provides us the events to tell us that data is available in the socket. Async IO is the ability for a single thread to perform (multiplex) IO (connect, read, write, close etc..) for multiple file descriptors. As far as I know, without NIO you cannot achieve that in Java. There is no sense in read or write without blocking if you cannot wait (vs actively poll) for an event. On Apr 19, 2014 4:56 AM, Alon Bar-Lev alon.bar...@gmail.com wrote: On Sat, Apr 19, 2014 at 10:58 AM, Emmanuel Lécharny elecha...@gmail.com wrote: Le 4/19/14 9:45 AM, Alon Bar-Lev a écrit : On Sat, Apr 19, 2014 at 10:38 AM, Emmanuel Lécharny elecha...@gmail.com wrote: Le 4/19/14 9:13 AM, Alon Bar-Lev a écrit : Hi, The mission of async is to avoid having threads at all, or at least O(1). As you have underline internal/private low level channels for socket processing, and public high level channels to communicate with application, there should be a mechanism for library to request wake up for these low level channels. Another option is to avoid using sockets at all within the implementation and require application to manage the sockets and pipe socket data into the library. I understand this is conceptional change than what we have now, but this what will enable scale without abusing system threads or have nondeterministic behaviour in high load. There are a few important things you have to know about async and threads : - the extra cost for dealing with async connection is around 30%. That all but free - a standard system can easily deal with a few thousands of threads Now, unless you define what is high load, I don't really see what kind of advantage we can get with an async implementation. FTR, when MINA was initially created, it was because there was a need for a system supporting potentially ten of thousands of connections. Is that what you are targetting ? Yes, using work threads that are derived per # of CPUs, no more. I am far from the pure Java world... but if async IO is 30% insufficient, maybe it worth to use libssh (C) and communicate with it using single socket from java, delegating IO outside of java. IO are already delegated outside on Java. Eveything IO related is written in C
Re: SSHD exception when client tries to reconnect
Not sure which client you're using, but afaik, authentication can only done once for a connection. Also, try with the latest 0.10.1 sshd release. 2014-03-13 11:09 GMT+01:00 SiriSenthilRaam - sirisenthilr...@gmail.com: My ssh client tries to communicate with SSHD and it works fine for a while. After a while the connection seems to be closed from client side and when the client tries to reconnect to the SSHD, I seeing the below exception. I am not sure how to over come this. The client keeps trying to send the authentication, and sshd tries to keeps throwing this exception. Is there any way to clean up the session? If a new connection is established from some other client, its working fine. WARN [NioProcessor-4] (*AbstractSession.java:264*) - Exception caught *java.lang.IllegalStateException*: Unsupported command: SSH_MSG_USERAUTH_REQUEST at org.apache.sshd.server.session.ServerSession.running( *ServerSession.java:266*) at org.apache.sshd.server.session.ServerSession.handleMessage( *ServerSession.java:205*) at org.apache.sshd.common.session.AbstractSession.decode( *AbstractSession.java:566*) at org.apache.sshd.common.session.AbstractSession.messageReceived( *AbstractSession.java:236*) at org.apache.sshd.common.AbstractSessionIoHandler.messageReceived( *AbstractSessionIoHandler.java:58*) at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived( *DefaultIoFilterChain.java:690*) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived( *DefaultIoFilterChain.java:417*) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200( *DefaultIoFilterChain.java:47*) at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived( *DefaultIoFilterChain.java:765*) at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived( *IoFilterAdapter.java:109*) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived( *DefaultIoFilterChain.java:417*) at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived( *DefaultIoFilterChain.java:410*) at org.apache.mina.core.polling.AbstractPollingIoProcessor.read( *AbstractPollingIoProcessor.java:710*) at org.apache.mina.core.polling.AbstractPollingIoProcessor.process( *AbstractPollingIoProcessor.java:664*) at org.apache.mina.core.polling.AbstractPollingIoProcessor.process( *AbstractPollingIoProcessor.java:653*) at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600( *AbstractPollingIoProcessor.java:67*) at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run( *AbstractPollingIoProcessor.java:1124*) at org.apache.mina.util.NamePreservingRunnable.run( *NamePreservingRunnable.java:64*) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Thanks Regards, Sendilraj P
Re: apache-sshd releases
2014-03-05 18:53 GMT+01:00 Emmanuel Lécharny elecha...@gmail.com: Le 3/5/14 6:44 PM, Alon Bar-Lev a écrit : Hi, I want to ask regarding the release sequence. At site I see latest is 0.9.0[1]. This is the latest release. At maven central I see 0.10.0[2]. this is a tag not a release. It mirrors I see 0.10.0[3]. Same. At git I can see 0.10.1[4] tagged. Same. Quite confusing :) Nope. We do release sources, not binaries. Official binaries are those available on the MINA web site, and anything else are just working artefacts. We do not endorse any release which ha snot be voted and signed. Can the site[1] be modified with latest? It's already up to date. Not really actually. The 0.10.0 has been released 2 weeks ago. I was going to update it when I just found that 0.10.0 was not working for me so I started the 0.10.1 release. I thought about skipping that one and only update for 0.10.1 ... and can 0.10.1 be available if was released? A vote is going on, and if the vote has not been closed, it's probably because some issues have been found in SSHD. In the case of 0.10.1, we're missing a few votes. I suppose it won't be long before it is released now. There are a few bugs with workarounds, so I'm planning a 0.10.2 release to fix those in the coming weeks. Side note, for devs : Here, I think we should agree that when the vote is not closed, then we should cancel teh vote after the 72 delays. Also we should probably not use a new revision number for each attempt : this is typically teh kind of confusion we get if we do what sebb was proposing, and this is the reason we delete the tags if the vote is cancelled. Thoughts ? -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: apache-sshd releases
2014-03-05 23:19 GMT+01:00 Emmanuel Lécharny elecha...@gmail.com: Le 3/5/14 10:13 PM, Guillaume Nodet a écrit : 2014-03-05 18:53 GMT+01:00 Emmanuel Lécharny elecha...@gmail.com: Can the site[1] be modified with latest? It's already up to date. Not really actually. The 0.10.0 has been released 2 weeks ago. No, not according to The ASF and this project standards : [CANCEL] [VOTE] Release Apache Mina SSHD 0.10.0 This has *not* been released. You have created a candidate for a vote, which you have cancelled. Yes, and a few days later we have: [RESULT] [VOTE] Release SSHD 0.10.0 (2nd cut) I was going to update it when I just found that 0.10.0 was not working for me so I started the 0.10.1 release. I thought about skipping that one and only update for 0.10.1 ... I'd rather keep going with 0.10.0. Again, as I said, I think it's really confusing to increment the number of candidates when the vote is not successful. But this is probably something we should discuss on the dev mailing list. I fully agree with you, but those are actually 2 different releases. The 0.10.0 has been released, 0.10.1 is still under vote. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: How to configure AWS S3 as filesystem in Apache SSHD
From an SSHD point of view, file access entry point is done by implementing the org.apache.sshd.common.file.FileSystemFactory. From a S3 perspective, amazon provides a java client API. There are a few points you'll have to choose: * authentication : how to provide the s3 keys * buckets : restrict to a single bucket or simulate a first hierarchy level using buckets * folders : need to choose a delimiter Next, depending on wether you want to use SCP or SFTP, the set of SshFile methods to implement may change ... SCP is much simpler and use a more limited set. You'll find S3 code snippets easily: http://ceph.com/docs/master/radosgw/s3/java/#listing-owned-buckets 2014-02-06 18:13 GMT+01:00 Abhishek Kundu kundu.abh...@gmail.com: Hi, Please help me in configuring AWS S3 as filesystem in Apache SSHD -- Thanks and Regards, Abhishek Kundu (+91-9008207284)
Re: Remote Port Forwarding
You need to register a TcpipForwardingFilter on your client too, so that it can accept to connect. The same class can be used on both sides. client.setTcpipForwardingFilter(new ForwardingFilter() { ... }); 2014-02-07 1:34 GMT+01:00 Kevin Day ke...@trumpetinc.com: I'm trying to use mina sshd in a remote port forwarding scenario: Client connects to Server on port 22 Traffic inbound to Server port 12345 gets forwarded to Client port 9876 I'm running into a problem where the connection to port 12345 on the server gets refused. I've traced the issue to this line in TcpipServerChannel: final ForwardingFilter filter = getSession().getFactoryManager().getTcpipForwardingFilter(); if (address == null || filter == null || !filter.canConnect(address, getSession())) { the problem is that filer is winding up with a null value. The problem is that I don't see any way to get that value set. My client code: SshClient client = SshClient.setUpDefaultClient(); client.start(); try{ ConnectFuture sessionFuture = client.connect(localhost, 22); sessionFuture.await(); ClientSession session = sessionFuture.getSession(); AuthFuture authPassword = session.authPassword(user, pass); authPassword.await(); if(!authPassword.isSuccess()) throw new Error(Authentication failed); SshdSocketAddress local = new SshdSocketAddress(localhost, 14722); SshdSocketAddress remote = new SshdSocketAddress(localhost, 14730); SshdSocketAddress remoteConnectInfo = session.getTcpipForwarder().startRemotePortForwarding(remote, local); System.out.println(Forwarding + remoteConnectInfo + to + local); and the server code: SshServer sshd = SshServer.setUpDefaultServer(); sshd.setPort(22); File keyFile = new File(devapphome/config/hostkey.ser).getAbsoluteFile(); sshd.setKeyPairProvider(new SimpleGeneratorHostKeyProvider(keyFile.getAbsolutePath())); sshd.setPasswordAuthenticator(new PasswordAuthenticator(){ @Override public boolean authenticate(String username, String password, ServerSession session) { return user.equals(username) pass.equals(password); } }); sshd.setTcpipForwardingFilter(new ForwardingFilter() { @Override public boolean canListen(SshdSocketAddress address, Session session) { System.out.println(Listen request from + address); return true; } @Override public boolean canForwardX11(Session session) { return true; } @Override public boolean canForwardAgent(Session session) { return true; } @Override public boolean canConnect(SshdSocketAddress address, Session session) { System.out.println(Connection request from + address); return true; } }); try { sshd.start(); System.out.println(sshd started - listening on port + sshd.getPort()); synchronized (this) { wait(); } } catch (IOException | InterruptedException e) { // TODO Auto-generated catch block e.printStackTrace(); } The problem is that sshd.setTcpipForwardingFilter sets the filter on the SshServer side of things. In remote port forwarding mode, a totally different (SshClient-side sub-class of AbstractChannel - AbstractClientChannel) Session object is being created, and it doesn't look like it is inheriting the TcpipForwardingFilter. Am I missing something here? Do I need to be adding some sort of registration to detect remote port forwarding requests and configure the AbstractClientChannel somehow? Thanks much, - Kevin
Re: Integration of SSHD
You can use any SSH client from a unix distribution, or cygwin / putty on Windows. 2013/12/4 Maheedhar maheedha...@in.fiorano.com I finished implementation and integration of SSHd into our environment.As of now we have both the client and server implementations and they communicate just fine.We wanted to test with a client from our implementation and some other server(a different implementation) running SSH in order to test if our implementation is generic.Are there any tools/softwares that can communicate with the sshserver/sshclient that has been deployed. For example, from a linux terminal it is possible to send messages to a socket running MINA right? similarly what tool can I use to communicate to the IP address:port where SSH is deployed -- View this message in context: http://apache-mina.10907.n7.nabble.com/Integration-of-SSHD-tp39824p40630.html Sent from the Apache MINA User Forum mailing list archive at Nabble.com.
Re: SSHD: Restrict SFTP directory
The FileSystemView has been introduced for that very purpose. Here is an example that restricts the file system to a certain directory (in that case indicated by System.getProperty(karaf.base)) https://github.com/apache/karaf/blob/karaf-2.x/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafFileSystemView.java 2013/9/17 Joseph Hickman jhick...@dtccom.net I need to restrict the directory(ies) a logged-in SFTP user is able to access. Two solutions are proposed on this board: * A custom implemenation of FileSystemView, as per http://www.mail-archive.com/users@mina.apache.org/msg0.html OR * Override the start method of SftpSubSystem, as per http://www.mail-archive.com/users@mina.apache.org/msg03137.html Both of these suggestions refer to SFTP and I'm wondering if one approach is recommended over the other? Does anyone have an implementation they are willing to share? Thanks. ~Joseph -- --- Guillaume Nodet Red Hat, Open Source Integration Email: gno...@redhat.com Web: http://fusesource.com Blog: http://gnodet.blogspot.com/
Re: Integration of SSHD
The main pieces are SshServer and SshClient classes. Both contains a main method that you can run and debug to see what happens. This should also show you how you can integrate sshd in your environement. 2013/9/12 Maheedhar maheedha...@in.fiorano.com I am working in an application that uses apache MINA to send and receive messages over socket.. I was asked to include SSH support as in (using credentials- a username and password) with which they can authenticate themselves.. i was looking into SSHD library source code and felt an abstract idea of where to start would be nice..The message that i read from the Socket undergoes processing of its own.. i want that to carry on.. i just need this SSH security to be added as an additional layer inside the logic..how can i acheive that..an outline idea would go a long way.. Thanks in advance -- View this message in context: http://apache-mina.10907.n7.nabble.com/Integration-of-SSHD-tp39824.html Sent from the Apache MINA User Forum mailing list archive at Nabble.com. -- --- Guillaume Nodet Red Hat, Open Source Integration Email: gno...@redhat.com Web: http://fusesource.com Blog: http://gnodet.blogspot.com/
Re: Publickey of PublickeyAuthenticator class (MINA SSHD)
Could you please explain a bit more what's your exact problem is ? If you implement your own PublickeyAuthenticator, you need to check wether the received key is accepted or not. 2013/9/4 LSJ hl1...@naver.com Hi. I have been using MINA SSHD server. I want to be certified through Public key generated by the Linux Shell(using keygen). So I use sshd.setPublickeyAuthenticator method and PublickeyAuthenticator class. However, Public key used as parameter in PublickeyAuthenticator class recevied from user? public class DBPublicKeyAuth implements PublickeyAuthenticator { @Override public boolean authenticate(String arg0, *PublicKey arg1*, ServerSession arg2) { --- The following two values are wrong. The value generated by keygen Ssh-rsa B3NzaC1yc2EDAQABAAABAQClXHjwJv86qURq9L0wyfWyVlRSP8E+Bcr8yfeOKh928C4d67xPR0NoIhOSrhsZmRML4opan2ctCl7l11w1DwgsabBJgtQ7Y6ZWhLrS/W0M3a5efEjktlG71afQP6mtuFdeH140qpPxz6oB26mzCk2f+lajvXrlTNnx1Ap1vCxsueHy8ZRshMHX9k3VIgiabinAtyV7OOcFZjH45uvTmWmShrYzr0P95mevbWAb2RMeRZ2gpjS4Wh1a0u/TVgtJw7X3wbMa2CFjBQxqPGauH04kNo28vM8G3TXyYwJ6UDbPyIvkmYOrxkyckQ+SB0SHwGgZvF3XdcsT2uyPsmbCs5I1 hl1tex@hl1tex-VirtualBox The value printed in PublickeyAuthenticator class(in authenticate method) RSA Public Key modulus: a55c78f026ff3aa9446af4bd30c9f5b25654523fc13e05cafcc9f78e2a1f76f02e1debbc4f474368221392ae1b1999130be28a5a9f672d0a5ee5d75c350f082c69b04982d43b63a65684bad2fd6d0cddae5e7c48e4b651bbd5a7d03fa9adb8575e1f5e34aa93f1cfaa01dba9b30a4d9ffa56a3bd7ae54cd9f1d40a75bc2c6cb9e1f2f1946c84c1d7f64dd522089a6e29c0b7257b38e7056631f8e6ebd399699286b633af43fde667af6d601bd9131e459da0a634b85a1d5ad2efd3560b49c3b5f7c1b31ad82163050c6a3c66ae1f4e24368dbcbccf06dd35f263027a5036cfc88be49983abc64c9c910f92074487c06819bc5dd775cb13daec8fb266c2b39235 public exponent: 10001 I do not know what is wrong. help me please~ -- View this message in context: http://apache-mina.10907.n7.nabble.com/Publickey-of-PublickeyAuthenticator-class-MINA-SSHD-tp39746.html Sent from the Apache MINA User Forum mailing list archive at Nabble.com. -- --- Guillaume Nodet Red Hat, Open Source Integration Email: gno...@redhat.com Web: http://fusesource.com Blog: http://gnodet.blogspot.com/
Re: Socket input to SSHD?
Not easily, but I think with the new api that has been added to sshd 0.9.0 org.apache.sshd.common.io, you can pretty much do whatever you want on the IO side. 2013/8/14 David Greene da...@securelink.com Is there away to have SshdServer accept a Socket or an InputStream as input instead of binding to a host:port ? -David -- --- Guillaume Nodet Red Hat, Open Source Integration Email: gno...@redhat.com Web: http://fusesource.com Blog: http://gnodet.blogspot.com/
Re: [Apache SSHD] Default value for max-concurrent-sessions
There's no default value, meaning by default, a user is not limited in the number of sessions it creates. There's no global maximum number of sessions right now. 2013/8/1 Wright, Omari omari.wri...@solers.com Also, I am also wondering what the max default value of sessions is. max-concurrent-sessions seems to pertain to individual users. -Original Message- From: Wright, Omari [mailto:omari.wri...@solers.com] Sent: Thursday, August 01, 2013 12:21 PM To: 'users@mina.apache.org' Subject: [Apache SSHD] Default value for max-concurrent-sessions What is the default value for max-concurrent-sessions? -- --- Guillaume Nodet Red Hat, Open Source Integration Email: gno...@redhat.com Web: http://fusesource.com Blog: http://gnodet.blogspot.com/
Re: ssh honey pot - tamper with commands
SSHD does not provide an interactive shell you can use and does not really aim to do so anyway. I would have a look at jline2, it's the one we use in Karaf. Jline provides completion, history, key bindings, etc... ROughly, you need to create a jline ConsoleReader by using the streams provided by SSHD and then configure it by registering commands, completers, etc... I'd suggest you have a look at Karaf, and then eventually grab some of its code if you don't want OSGi at all, but the easiest would surely to just reuse Karaf. On Thu, Jan 24, 2013 at 11:22 AM, Ioan Eugen Stan stan.ieu...@gmail.comwrote: Hello, I'm working on a SSH Honeypot and using SSHD as a server. I need help figuring out how can I have for example command completion and the ability to tamper with some commands (choose between executing, delaying or faking their execution - not running them and returning some other data) Right now I managed to create a server that can execute commands and can open a Shell connection where I can type in commands. The server echoes them back but does not display them. I know it's possible, but the lack of documentation is killing me so any help is appreciated. Cheers, -- Ioan Eugen Stan -- Guillaume Nodet Blog: http://gnodet.blogspot.com/ FuseSource, Integration everywhere http://fusesource.com
Re: ssh honey pot - tamper with commands
If I understand you correcly, you're trying to launch a native shell, but have some kind of pre-processing of commands in java. The problem is that there's no way afaik to get back from the native shell to the sshd environement. I guess you could customize your native shell to some point to do some of the processing in scripts, like creating bash functions that will act as proxy to the native commands and do your ignore/execute logic there. Else, I'd really suggest using jline as the shell and implement jline commands that would then delegate to native commands. On Thu, Jan 24, 2013 at 11:37 AM, Ioan Eugen Stan stan.ieu...@gmail.comwrote: Hello Guillaume, Thank you for your quick response and the pointers. I know SSHD does not aim at providing an interactive shell, but I'm not planning to re-implement it myself also. Is it possible for example to delegate all characters to the native shell and on new-line to decide one of the two: - if the command entered so far is not to be executed then drop it silently and return fake output to the user - if the command should be executed - forward the newline to the native, interactive shell This should avoid the need for re-implementing the commands and command completers and leverage the native shells command completing capabilities. Is this ok? By the way, you did incredible work on SSHD and jline. Cheers, -- Ioan Eugen Stan / CTO / http://axemblr.com -- Guillaume Nodet Blog: http://gnodet.blogspot.com/ FuseSource, Integration everywhere http://fusesource.com
Re: [Apache SSHD] Authentication change between 0.6.0 and 0.8.0?
COuld you give a bit more details on your set up and authentication process ? On Thu, Dec 13, 2012 at 4:55 PM, Wright, Omari omari.wri...@solers.comwrote: When I ported my project over to Apache SSHD 0.8.0, my implementation for authentication stopped working. Now a user is automatically logged in as root when they attempt to connect to the server. -- Guillaume Nodet Blog: http://gnodet.blogspot.com/ FuseSource, Integration everywhere http://fusesource.com
Re: [Apache SSHD] Authentication change between 0.6.0 and 0.8.0?
) { logException(e, authenticate); } return false; } }); - UserManager is a modified version of Apache FtpServer's properties user manager. -Original Message- From: Guillaume Nodet [mailto:gno...@gmail.com] Sent: Thursday, December 13, 2012 11:33 AM To: users Subject: Re: [Apache SSHD] Authentication change between 0.6.0 and 0.8.0? COuld you give a bit more details on your set up and authentication process ? On Thu, Dec 13, 2012 at 4:55 PM, Wright, Omari omari.wri...@solers.com wrote: When I ported my project over to Apache SSHD 0.8.0, my implementation for authentication stopped working. Now a user is automatically logged in as root when they attempt to connect to the server. -- Guillaume Nodet Blog: http://gnodet.blogspot.com/ FuseSource, Integration everywhere http://fusesource.com -- Guillaume Nodet Blog: http://gnodet.blogspot.com/ FuseSource, Integration everywhere http://fusesource.com
Re: [Apache SSHD] Authentication change between 0.6.0 and 0.8.0?
I'm not sure to understand. The default implementation is not secured and any login = password will work by default. On Thu, Dec 13, 2012 at 6:36 PM, Wright, Omari omari.wri...@solers.comwrote: Whatever changed also effected running the standalone version from the command line with stock configuration. It also shows the same behavior. -Original Message- From: Guillaume Nodet [mailto:gno...@gmail.com] Sent: Thursday, December 13, 2012 12:32 PM To: users Subject: Re: [Apache SSHD] Authentication change between 0.6.0 and 0.8.0? Maybe this change ? https://github.com/apache/mina-sshd/commit/3932a1275f3a48d5a304dcfb151a3ca3ce6050ed On Thu, Dec 13, 2012 at 5:53 PM, Wright, Omari omari.wri...@solers.com wrote: Configuration is as follows... server = new SshServer(); // DHG14 uses 2048 bits key which are not supported by the default JCE provider if (SecurityUtils.isBouncyCastleRegistered()) { server.setKeyExchangeFactories(Arrays.NamedFactoryKeyExchangeasList( new DHG14.Factory(), new DHG1.Factory())); server.setRandomFactory(new SingletonRandomFactory(new BouncyCastleRandom.Factory())); } else { server.setKeyExchangeFactories(Arrays.NamedFactoryKeyExchangeasList( new DHG1.Factory())); server.setRandomFactory(new SingletonRandomFactory(new JceRandom.Factory())); } ListNamedFactoryCipher avail = new LinkedListNamedFactoryCipher(); avail.add(new AES128CTR.Factory()); avail.add(new AES256CTR.Factory()); avail.add(new ARCFOUR128.Factory()); avail.add(new ARCFOUR256.Factory()); avail.add(new AES128CBC.Factory()); avail.add(new TripleDESCBC.Factory()); avail.add(new BlowfishCBC.Factory()); avail.add(new AES192CBC.Factory()); avail.add(new AES256CBC.Factory()); for (IteratorNamedFactoryCipher i = avail.iterator(); i.hasNext();) { final NamedFactoryCipher f = i.next(); try { final Cipher c = f.create(); final byte[] key = new byte[c.getBlockSize()]; final byte[] iv = new byte[c.getIVSize()]; c.init(Cipher.Mode.Encrypt, key, iv); } catch (InvalidKeyException e) { i.remove(); } catch (Exception e) { i.remove(); } } server.setCipherFactories(avail); // Compression is not enabled by default // sshd.setCompressionFactories(Arrays.NamedFactoryCompressionasList( // new CompressionNone.Factory(), // new CompressionZlib.Factory(), // new CompressionDelayedZlib.Factory())); server.setCompressionFactories(Arrays.NamedFactoryCompressionasList( new CompressionNone.Factory())); server.setMacFactories(Arrays.NamedFactoryMacasList( new HMACMD5.Factory(), new HMACSHA1.Factory(), new HMACMD596.Factory(), new HMACSHA196.Factory())); server.setChannelFactories(Arrays.NamedFactoryChannelasList( new PdaChannelSession.Factory(), new ChannelDirectTcpip.Factory())); server.setSignatureFactories(Arrays.NamedFactorySignatureasList( new SignatureDSA.Factory(), new SignatureRSA.Factory())); server.setFileSystemFactory(new PdaFileSystemFactory()); ForwardingAcceptorFactory faf = new DefaultForwardingAcceptorFactory(); server.setTcpipForwardNioSocketAcceptorFactory(faf); server.setX11ForwardNioSocketAcceptorFactory(faf); server.setPort(); if (SecurityUtils.isBouncyCastleRegistered()) { server.setKeyPairProvider(new PEMGeneratorHostKeyProvider(key.pem)); } else { server.setKeyPairProvider(new SimpleGeneratorHostKeyProvider(key.ser)); } if (OsUtils.isUNIX()) { server.setShellFactory(new ProcessShellFactory(new String[] { /bin/sh, -i, -l }, EnumSet.of(ProcessShellFactory.TtyOptions.ONlCr))); } else { server.setShellFactory(new ProcessShellFactory(new String[] { cmd.exe }, EnumSet.of(ProcessShellFactory.TtyOptions.Echo, ProcessShellFactory.TtyOptions.ICrNl, ProcessShellFactory.TtyOptions.ONlCr))); } server.setSubsystemFactories(Arrays.NamedFactoryCommandasList(new PdaSftpSubsystem.Factory())); server.setCommandFactory(new PdaScpCommandFactory()); server.setPasswordAuthenticator(new PasswordAuthenticator() { public boolean authenticate(String username, String password, ServerSession session
Re: SSHD server treats CTrl+C ?
Yes, that's doable. Ctrl+C is sent as \x03 character on the input stream. Depending on what's the client, you need to make sure that the client itself won't be interrupted itself. We've implemented that in Karaf, so that's doable for sure. On Mon, Oct 29, 2012 at 8:35 AM, Pauna Adrian ady@gmail.com wrote: I am at the beginning with apache mina SSHD, so I apologize if the question might not be very well put. So my question : is there a way to interrupt a a running command on a sshd server (apache mina). For example stopping the ping command with Ctrl+c. Thanks in advance. Adrian -- Guillaume Nodet Blog: http://gnodet.blogspot.com/ FuseSource, Integration everywhere http://fusesource.com
Re: SSHD support readline as MINA
On Wed, Oct 17, 2012 at 2:13 PM, Tai Phuoc Tran tp...@tma.com.vn wrote: Hi, I'm currently working on project that use mina as io fwk. Currently, we need to move to use apache sshd, however with new architecture of sshd which based on stream. And messages are send character by character without any handle of deleting characters (when hit backspace) Which sshd library were you using before that mina sshd ? In Mina, we just simple implement IoHandlerAdapter.**messageReceived(IoSession, Object) - then we have Object that contains a string (not character). Mmh, that's really not how sshd works. I know we can use jline, and do similar thing as in karaf project do in order to handle a incoming command. However, we need to maintain these code, and I don't like it, I expect it should be covered by Apache Mina SSHD. You don't like jline code or you don't line maintaining it ? Jline 2 is a bit more complicated than the old version. You could use the old one if you want a simpler code. Any ideal that we've already had a package to adapt with apache sshd to provide such basic feature ? No. I think jline is the de facto readline library in java and used by lots of projects beyond karaf. Regards, Tai -- Guillaume Nodet Blog: http://gnodet.blogspot.com/ FuseSource, Integration everywhere http://fusesource.com
Re: Fwd: How to execute sftp client using apache ssh client
I don't think anyone is working on that yet. Would you be interested in working on such a feature ? On Wed, Oct 3, 2012 at 4:44 PM, marcovaca mv...@collegeboard.org wrote: Hello, is there currently any plan to add sFTP client side support? Is someone working on this already? manojkumar16 wrote: Hi Guillaume, Thanks for the quick reply. As you mentioned, client side is still lacking lots of features. And the sftp support is one of them unfortunately. Does it means that creation of sftp subsystem channel is not supported? Can you please provide a list of features which is missing at sftp client side? I followed the link https://github.com/apache/karaf/blob/trunk/client/src/main/java/org/apache/karaf/client/Main.java and I am able to connect the client to sftp server either in shell or exec channel. However, it fails when I try to create sftp subsystem channel. Does apache sshd-client supports sftp subsystem? Is there any documentation available for apache sshd client? I am struggling hard to understand the behavior and working style of apache sshd client. -- Forwarded message -- From: manoj kumar manojkuma...@gmail.com Date: Mon, Jan 23, 2012 at 2:22 PM Subject: How to execute sftp client using apache ssh client To: d...@mina.apache.org Hi, I want to write sftp Client using apache-sshd mina client api. I am able to connect to sftp server using apache ssh client but I do not have any idea how to send sftp command to apache sshd server and how do I get result of sftp client. I am totally lost. Please guide me. I have confusion on below *highlighted code *taken from SshClient.java: SshClient client = SshClient.setUpDefaultClient(); client.start(); ClientSession session = client.connect(localhost, port).await().getSession(); session.authPassword(smx, smx); ClientChannel channel = session.createChannel(ClientChannel.CHANNEL_EXEC, ls); * ByteArrayOutputStream sent = new ByteArrayOutputStream();* *PipedOutputStream pipedIn = new TeePipedOutputStream(sent);* *channel.setIn(new PipedInputStream(pipedIn));* *ByteArrayOutputStream out = new ByteArrayOutputStream();* *ByteArrayOutputStream err = new ByteArrayOutputStream();* *channel.setOut(out);* *channel.setErr(err);* *channel.open().await();* What I understood from the code is, we are using outstream to send sftp command in the form of byte array to sftp server over a channel. How do I receive response from sftpserver? If It is not correct way to send sftp command then what is the correct way to execute sftp command? Can anybody provide a simple example which sends sftp command and receives response from sftp server? -- Thanks and Regards, Manoj Kumar 9535214528 -- Thanks and Regards, Manoj Kumar 9535214528 -- View this message in context: http://old.nabble.com/Fwd%3A-How-to-execute-sftp-client-using-apache-ssh-client-tp33188326p34509344.html Sent from the Apache MINA User Forum mailing list archive at Nabble.com. -- Guillaume Nodet Blog: http://gnodet.blogspot.com/ FuseSource, Integration everywhere http://fusesource.com
Re: SSHD: Client TCP/IP Forwarding Questions
choosing SSHD for my project. Kevin -- Guillaume Nodet Blog: http://gnodet.blogspot.com/ FuseSource, Integration everywhere http://fusesource.com
Re: SSHD: Client TCP/IP Forwarding Questions
On Thu, Sep 27, 2012 at 8:44 PM, Kevin Winchester kevin.winches...@anywaregroup.com wrote: Hi, I see that TCP/IP forwarding has been added to the SSHD client in the upcoming 0.8.0 release. I have grabbed the latest code from SVN to try it out, but I have a few questions: 1. Is there any sample code for how to use it? I basically am doing the following: SshClient sshClient = SshClient.setUpDefaultClient()**; sshClient.start(); ClientSession clientSession = sshClient.connect( host, port ).await().getSession(); clientSession.authPassword( username, password ).await(); clientSession.**startLocalPortForwarding( new SshdSocketAddress( localAddress, localPort ), new SshdSocketAddress( remoteAddress, remotePort ) ); I don't want any shell or execution channel, just the port forwarding. Is that the best way to make use of the feature? Yes 2. When I run the above code, the channel seems to work correctly, until I disconnect for the first time, at which point the channel seems to close itself. Is that something I am doing wrong, or is it the intended behavior? Any other SSH client I have used maintains the forwarded channel across multiple disconnects/reconnects. I've just added a loop to the unit test we have and the current code seems to support multiple socket opening/close correctly. See testLocalForwardingNative in https://github.com/apache/mina-sshd/blob/trunk/sshd-core/src/test/java/org/apache/sshd/PortForwardingTest.java#L189 Channels are created for each incoming socket connection on the remote side. Are you saying that the channel is kept opened for a certain amount of time before being closed if not reused ? I suppose I can see the use case for example when using HTTP 1.0, but I must admit that did not crossed my mind. Feel free to raise a JIRA issue and eventually propose a patch if you're fancy working on it. 3. I see that there is a createDirectTcpipChannel method in the ClientSession class as well, that seems to create a completely different implementation of a forwarded TCP/IP channel. What is that used for? The main difference is that the startLocalPortForwarding opens a server socket and will channel incoming connection through the ssh layer. The createDirectTcpipChannel serves a slightly different purpose which is to stream data from java to the remote host, so no socket is opened and you have to give the input / output / error streams instead. The reason the implementation is different is mainly because in the startLocalPortForwarding case, no java streams are used, and we use bio buffers, so even if ssh layer is used in the same way, the client side is slightly different. Thanks, Kevin Winchester -- Guillaume Nodet Blog: http://gnodet.blogspot.com/ FuseSource, Integration everywhere http://fusesource.com
Re: Problem in Apache SSHD when making remote calls
Could you provide the server log so that we can investigate why the connection is dropped ? On Thu, Sep 27, 2012 at 10:08 PM, Wright, Omari omari.wri...@solers.comwrote: If during processing I make a remote call to another machine (in this case JMS message or SOAP message) the SSH/SFTP connection is dropped to my SFTP client. Is there something I can change to remedy this? Example 1: 1) Connect to Apache SSHD using SFTP client 2) Authenticate method is reached 3) Remote SOAP call is made to OpenAM to do the authentication 4) SSHTools SFTP client connection is dropped Example 2 (after I make authenticate always return true): 1) Connect to Apache SSHD using SFTP client 2) Authentication returns true and a SSH session is started 3) Sftpsubsystem tries to query database to get user's home directory 4) SSHTools SFTP client connection is dropped -- Guillaume Nodet Blog: http://gnodet.blogspot.com/ FuseSource, Integration everywhere http://fusesource.com
Re: Is Apache SSHD considered beta software?
Mainly, the missing things are on the client side: * keyboard interactive authentication * scp support * sftp support * x11 forwarding Those are priority sorted in my opinion. On top of that, there are a bunch of enhancements in JIRA, but I would not hold on a 1.0.0 release because of those (they are just enhancements). Some of the above already have jira issues. If you're fancy helping on any of those, your help would be more than welcomed. On Tue, Sep 25, 2012 at 6:23 PM, John Plocher john.ploc...@gmail.comwrote: On Tue, Sep 25, 2012 at 12:27 AM, Emmanuel Lécharny elecha...@gmail.com wrote: Forget about what you read about alpha/beta/GA/whatever on the internet. But, please, asking for an ETA or wondering when we will tag the version as Final is just totally useless. My apologies, I could have said things better - the question wasn't a defensive one based on a lack of an ETA or whatever (which, I agree, is useless and inappropriate), but one of wonder and curiosity - since it seems that Guillaume acknowledges a gap between where things are now and a mythical point called feature complete, what does that gap look like? What features still need to be invented/designed/coded? Is there a list? Is it large or small? All these questions lead directly into is there anything on that list that *I* can do? and Hey, I am really interested in this particular one, let me try But without a list somewhere, my imagination isn't sufficiently fertile to invent my own list :-) Think shared team vision and goals... -John -- Guillaume Nodet Blog: http://gnodet.blogspot.com/ FuseSource, Integration everywhere http://fusesource.com
Re: Is Apache SSHD considered beta software?
Is there any particular feature missing for you ? On Mon, Sep 24, 2012 at 9:29 PM, Wright, Omari omari.wri...@solers.comwrote: Any ETA on when it will be feature complete? -Original Message- From: Guillaume Nodet [mailto:gno...@gmail.com] Sent: Friday, September 21, 2012 9:06 AM To: users@mina.apache.org Subject: Re: Is Apache SSHD considered beta software? It's used in production, there's no problem about that. The main reason the version is 1 is that it's still not feature complete ... On Fri, Sep 21, 2012 at 2:34 PM, Wright, Omari omari.wri...@solers.com wrote: Would Apache SSHD be considered beta software or is it suitable for use in a production environment? -- Guillaume Nodet Blog: http://gnodet.blogspot.com/ FuseSource, Integration everywhere http://fusesource.com -- Guillaume Nodet Blog: http://gnodet.blogspot.com/ FuseSource, Integration everywhere http://fusesource.com
Re: Is Apache SSHD considered beta software?
Alpha and beta usually refer to maturity, not features. We don't call it alpha or beta because it's not, though the fact that sshd is not feature complete means that the api may need to change a bit to accommodate new features, hence the 0.x version. Fwiw, missing features are mostly on the client side, and the server does not change much but for bug fixes or minor improvements. On Tue, Sep 25, 2012 at 12:22 AM, Wright, Omari omari.wri...@solers.comwrote: Not really, just wondering because we plan to use it in a government environment and technically we cannot use it if it is in beta. -Original Message- From: Guillaume Nodet [mailto:gno...@gmail.com] Sent: Monday, September 24, 2012 5:17 PM To: users@mina.apache.org Subject: Re: Is Apache SSHD considered beta software? Is there any particular feature missing for you ? On Mon, Sep 24, 2012 at 9:29 PM, Wright, Omari omari.wri...@solers.com wrote: Any ETA on when it will be feature complete? -Original Message- From: Guillaume Nodet [mailto:gno...@gmail.com] Sent: Friday, September 21, 2012 9:06 AM To: users@mina.apache.org Subject: Re: Is Apache SSHD considered beta software? It's used in production, there's no problem about that. The main reason the version is 1 is that it's still not feature complete ... On Fri, Sep 21, 2012 at 2:34 PM, Wright, Omari omari.wri...@solers.com wrote: Would Apache SSHD be considered beta software or is it suitable for use in a production environment? -- Guillaume Nodet Blog: http://gnodet.blogspot.com/ FuseSource, Integration everywhere http://fusesource.com -- Guillaume Nodet Blog: http://gnodet.blogspot.com/ FuseSource, Integration everywhere http://fusesource.com -- Guillaume Nodet Blog: http://gnodet.blogspot.com/ FuseSource, Integration everywhere http://fusesource.com
Re: SSHD: stopping active shell sessions
I'm not sure to understand what is the isexited method you're talking about. Are you using the InvertedShellWrapper ? That one consumes cpu a bit because it needs to read the streams. On Sun, Sep 9, 2012 at 3:06 AM, Maarten Smit maartensm...@gmail.com wrote: It turned out that after the sessions was closed the isexited function still returned true which caused the session to hang. My apologies, took me quite long to figure out :) But now I have a second problem, the sshd needs to run on devices with batteries (like laptops) but battery drain increases a lot when someone is connected. It turns out after settings to log point that the isexited call from the shell class is called multiple times per second (a continuous loop) till the isexited returns true. My gues is that's eating a lot of power.. Would there maybe be some fix? Would it be safe to add a thread sleep to the isexited function? Keep up the good work though, it's a great server! So easy to use. Thanks again. Maarten 2012/9/3 Guillaume Nodet gno...@gmail.com It should not be necessary. Closing the server should close all sessions and shells. I suppose you're using the latest 0.7.0 version. Isn't the Command#destroy() method called ? On Sun, Sep 2, 2012 at 3:01 PM, Maarten Smit maartensm...@gmail.com wrote: Hello, I have implemented SSHD with my own Shell Factory. Everything works great, however, this doesn't work: 1. A user connects 2. The user is done and closes the session without typing 'exit' first (if the user quits correctly by typing exit through ssh everything works ok) 3. The server is stopped 4. The server is started again: that doesn't work since the port is still in use, probably because there is still a shell session (since if the shell is closed everything works). I have tried: - setReuseAddress to true - using sshd.getActiveSessions() to get all sessions and disconnecting each one But it still doesn't work. So my question is, when the server is stopped, how can I get access to each active shell outputstream so I can send the 'exit' command? Thanks! Maarten -- Guillaume Nodet Blog: http://gnodet.blogspot.com/ FuseSource, Integration everywhere http://fusesource.com -- Guillaume Nodet Blog: http://gnodet.blogspot.com/ FuseSource, Integration everywhere http://fusesource.com
Re: how to display messages at client terminal
session.writePacket is what you need to use in order to send messages to the client. If you use that method, you can't hit the UnsupportedOperationException as the remoteAddress will be null. On Tue, Sep 11, 2012 at 8:05 AM, Kanupriya Dadariya kanupriya.dadar...@gmail.com wrote: I see writePacket again uses ioSession.write() method internally. Currently in our code with ServerSession.writePacket , we didn't see UnsupportedOperationException as our code doesn't reach up to that step and something goes wrong before that step itself. However, as the ServerSession.writePacket() path is still the same (using ioSession.write() ) , ioSession.write would again throw UnsupportedOperationException for our TransportMetaDataType being not connectionless . Is there any other API apart from ServerSesison.writePacket or IoSesison.write() ? Or any other way ? Thanks, Kanupriya On Fri, Sep 7, 2012 at 6:36 PM, Guillaume Nodet gno...@gmail.com wrote: You should look for informations on keyboard-interactive authentication in SSH. I think that's exactly what you want. I suppose you'll need to implement your own UserAuth implementation. I think messages can be sent by the server using SSH_MSG_USERAUTH_BANNER (for simply displaying a message) and SSH_MSG_USERAUTH_INFO_REQUEST / SSH_MSG_USERAUTH_INFO_RESPONSE for having the server requesting information on the client side. Note that the client side of sshd does not support that yet, but that part could be included as it should be reusable (the server side might be less reusable). On Fri, Sep 7, 2012 at 2:48 PM, Khan, Farooq farooq.k...@emc.com wrote: Let me explain the problem a bit more. Within our MinaServer class we have the following code setPasswordAuthenticator(new PasswordAuthenticator() { public boolean authenticate(String username, String password, ServerSession session) { } } Our PasswordAuthenticator::authenticate() method further delegates the actually authentication task to a custom JAASLoginModule. We could have used the Mina provided JaasPasswordAuthenticator however we had our own class already written years ago so we decided to reuse that. There is one problem with all this approach the JAAS Framework depends on Callbacks which are used to prompt the user appropriately. However Mina SSH framework does all prompting in the background and simply provides you with a username and password. We then have to forward this to our JAAS Login Module. This works for most cases however sometimes our custom authentication system throws up a TextCallBack there is no way with Mina to achieve this. If you want to prompt the user to choose a Domain Name using a ChoiceCallback this is also not possible with Mina. Kanupriya was basically trying to use the ServerSession object within the authenticate method to send back a custom message to the user. A message that was being prompted by the TextCallBack In order to send this message she wrote a method similar to below private void sendMessage(ServerSession serverSession, SshConstants.Message cmd, String msg){ Buffer buffer = serverSession.createBuffer(cmd, msg.length()); buffer.putString(msg); log.info(Buffer created now); try { log.info(writing message now); WriteFuture writeFuture = serverSession.writePacket(buffer); log.info(message is written now waiting); writeFuture.awaitUninterruptibly(); // Wait until the message is completely written out to the O/S buffer. Thread.sleep(1); log.info(waiting and sleeping done); } catch (Exception ioe) { ioe.printStackTrace(); } } For the SshConstants.Message she tried the following: SshConstants.Message.SSH_MSG_DEBUG SshConstants.Message.SSH_MSG_USERAUTH_FAILURE But none of these reach the user. I think there is a workaround to this entire stuff but I was hoping we avoided that it would be quite a bit of coding to do that. 1. Somehow disable authentication the way it is expected. 2. Once the users session is established use the JAAS Login Module we have. We have full control on what to prompt the user with and how many prompts to do . We have a use case to inform user that the password will expire shortly would the user like to change it. Or if it's a first time login force the user to reset his password 3. On failure somehow send back a SshConstants.Message.SSH_MSG_USERAUTH_FAILURE Any better ideas? Thanks Farooq -Original Message- From: Kanupriya Dadariya [mailto:kanupriya.dadar...@gmail.com] Sent: Thursday, September 06, 2012 7:56 PM To: users@mina.apache.org Subject: Re: how to display messages at client terminal Would like to know if there a proper way to communicate with the terminal before
Re: how to display messages at client terminal
You should look for informations on keyboard-interactive authentication in SSH. I think that's exactly what you want. I suppose you'll need to implement your own UserAuth implementation. I think messages can be sent by the server using SSH_MSG_USERAUTH_BANNER (for simply displaying a message) and SSH_MSG_USERAUTH_INFO_REQUEST / SSH_MSG_USERAUTH_INFO_RESPONSE for having the server requesting information on the client side. Note that the client side of sshd does not support that yet, but that part could be included as it should be reusable (the server side might be less reusable). On Fri, Sep 7, 2012 at 2:48 PM, Khan, Farooq farooq.k...@emc.com wrote: Let me explain the problem a bit more. Within our MinaServer class we have the following code setPasswordAuthenticator(new PasswordAuthenticator() { public boolean authenticate(String username, String password, ServerSession session) { } } Our PasswordAuthenticator::authenticate() method further delegates the actually authentication task to a custom JAASLoginModule. We could have used the Mina provided JaasPasswordAuthenticator however we had our own class already written years ago so we decided to reuse that. There is one problem with all this approach the JAAS Framework depends on Callbacks which are used to prompt the user appropriately. However Mina SSH framework does all prompting in the background and simply provides you with a username and password. We then have to forward this to our JAAS Login Module. This works for most cases however sometimes our custom authentication system throws up a TextCallBack there is no way with Mina to achieve this. If you want to prompt the user to choose a Domain Name using a ChoiceCallback this is also not possible with Mina. Kanupriya was basically trying to use the ServerSession object within the authenticate method to send back a custom message to the user. A message that was being prompted by the TextCallBack In order to send this message she wrote a method similar to below private void sendMessage(ServerSession serverSession, SshConstants.Message cmd, String msg){ Buffer buffer = serverSession.createBuffer(cmd, msg.length()); buffer.putString(msg); log.info(Buffer created now); try { log.info(writing message now); WriteFuture writeFuture = serverSession.writePacket(buffer); log.info(message is written now waiting); writeFuture.awaitUninterruptibly(); // Wait until the message is completely written out to the O/S buffer. Thread.sleep(1); log.info(waiting and sleeping done); } catch (Exception ioe) { ioe.printStackTrace(); } } For the SshConstants.Message she tried the following: SshConstants.Message.SSH_MSG_DEBUG SshConstants.Message.SSH_MSG_USERAUTH_FAILURE But none of these reach the user. I think there is a workaround to this entire stuff but I was hoping we avoided that it would be quite a bit of coding to do that. 1. Somehow disable authentication the way it is expected. 2. Once the users session is established use the JAAS Login Module we have. We have full control on what to prompt the user with and how many prompts to do . We have a use case to inform user that the password will expire shortly would the user like to change it. Or if it's a first time login force the user to reset his password 3. On failure somehow send back a SshConstants.Message.SSH_MSG_USERAUTH_FAILURE Any better ideas? Thanks Farooq -Original Message- From: Kanupriya Dadariya [mailto:kanupriya.dadar...@gmail.com] Sent: Thursday, September 06, 2012 7:56 PM To: users@mina.apache.org Subject: Re: how to display messages at client terminal Would like to know if there a proper way to communicate with the terminal before the session actually starts. On Wed, Sep 5, 2012 at 7:47 PM, Kanupriya Dadariya kanupriya.dadar...@gmail.com wrote: Hi, The requirement is not just display the message but also prompt for user input. For ex: If when the prompt to change the password comes from the Authentication service. I think , we should be using SSH_MSG_USERAUTH_FAILURE in this case. However, that doesn't help and I see the writeStatus as false without any exception. On Wed, Sep 5, 2012 at 12:50 PM, Kanupriya Dadariya kanupriya.dadar...@gmail.com wrote: Thanks for the response . Will check with this. On Tue, Sep 4, 2012 at 7:09 PM, Guillaume Nodet gno...@gmail.com wrote: There is the SSH_MSG_DEBUG message though which is logged by the client/server upon reception. On Fri, Aug 31, 2012 at 3:42 PM, Kanupriya Dadariya kanupriya.dadar...@gmail.com wrote: Hi, I am using Apache Mina sshd . Do not have my own encoder/decoder. Need to display the message to client terminal during authentication . Probably making some obvious mistake , Can somebody please help me
Re: how to display messages at client terminal
Not in a standard way I think, but if you control both the server and client, you can hack the protocol. Have you seen such a thing with a real ssh client ? If so, the debug output would help understand how that's done. On Thu, Sep 6, 2012 at 4:26 PM, Kanupriya Dadariya kanupriya.dadar...@gmail.com wrote: Would like to know if there a proper way to communicate with the terminal before the session actually starts. On Wed, Sep 5, 2012 at 7:47 PM, Kanupriya Dadariya kanupriya.dadar...@gmail.com wrote: Hi, The requirement is not just display the message but also prompt for user input. For ex: If when the prompt to change the password comes from the Authentication service. I think , we should be using SSH_MSG_USERAUTH_FAILURE in this case. However, that doesn't help and I see the writeStatus as false without any exception. On Wed, Sep 5, 2012 at 12:50 PM, Kanupriya Dadariya kanupriya.dadar...@gmail.com wrote: Thanks for the response . Will check with this. On Tue, Sep 4, 2012 at 7:09 PM, Guillaume Nodet gno...@gmail.com wrote: There is the SSH_MSG_DEBUG message though which is logged by the client/server upon reception. On Fri, Aug 31, 2012 at 3:42 PM, Kanupriya Dadariya kanupriya.dadar...@gmail.com wrote: Hi, I am using Apache Mina sshd . Do not have my own encoder/decoder. Need to display the message to client terminal during authentication . Probably making some obvious mistake , Can somebody please help me out ? Here is the code snippet : I get the writeStatus as false always and don't get the message displayed . = IoBuffer buffer = IoBuffer.allocate(1024, true); buffer.setAutoExpand(true); try { buffer.putString(small, Charset.forName(UTF-8).newEncoder()); } catch (CharacterCodingException e) { } WriteFuture future = ioSession.write(buffer, ioSession.getRemoteAddress()); IoFutureListener iof = new MinaIOFutureListener(); future.addListener(iof); if(future.isWritten()){ writeStatus = true; } else { writeStatus = false; } future.removeListener(iof); = Appreciate any help . -- Guillaume Nodet Blog: http://gnodet.blogspot.com/ FuseSource, Integration everywhere http://fusesource.com -- Guillaume Nodet Blog: http://gnodet.blogspot.com/ FuseSource, Integration everywhere http://fusesource.com
Re: how to display messages at client terminal
There is the SSH_MSG_DEBUG message though which is logged by the client/server upon reception. On Fri, Aug 31, 2012 at 3:42 PM, Kanupriya Dadariya kanupriya.dadar...@gmail.com wrote: Hi, I am using Apache Mina sshd . Do not have my own encoder/decoder. Need to display the message to client terminal during authentication . Probably making some obvious mistake , Can somebody please help me out ? Here is the code snippet : I get the writeStatus as false always and don't get the message displayed . = IoBuffer buffer = IoBuffer.allocate(1024, true); buffer.setAutoExpand(true); try { buffer.putString(small, Charset.forName(UTF-8).newEncoder()); } catch (CharacterCodingException e) { } WriteFuture future = ioSession.write(buffer, ioSession.getRemoteAddress()); IoFutureListener iof = new MinaIOFutureListener(); future.addListener(iof); if(future.isWritten()){ writeStatus = true; } else { writeStatus = false; } future.removeListener(iof); = Appreciate any help . -- Guillaume Nodet Blog: http://gnodet.blogspot.com/ FuseSource, Integration everywhere http://fusesource.com
Re: SSHD: stopping active shell sessions
It should not be necessary. Closing the server should close all sessions and shells. I suppose you're using the latest 0.7.0 version. Isn't the Command#destroy() method called ? On Sun, Sep 2, 2012 at 3:01 PM, Maarten Smit maartensm...@gmail.com wrote: Hello, I have implemented SSHD with my own Shell Factory. Everything works great, however, this doesn't work: 1. A user connects 2. The user is done and closes the session without typing 'exit' first (if the user quits correctly by typing exit through ssh everything works ok) 3. The server is stopped 4. The server is started again: that doesn't work since the port is still in use, probably because there is still a shell session (since if the shell is closed everything works). I have tried: - setReuseAddress to true - using sshd.getActiveSessions() to get all sessions and disconnecting each one But it still doesn't work. So my question is, when the server is stopped, how can I get access to each active shell outputstream so I can send the 'exit' command? Thanks! Maarten -- Guillaume Nodet Blog: http://gnodet.blogspot.com/ FuseSource, Integration everywhere http://fusesource.com