Apache MINA sshd client: respect NumberOfPasswordPrompts

Set the internal property on the session as defined in the ssh config. Note that NumberOfPasswordPrompts in openssh applies independently to both user logins in keyboard-interactive authentication _and_ to passphrases for identity files (encrypted keys). Apache MINA sshd uses the setting only for keyboard-interactive authentication, but not for identity file passphrase prompts. For identity files, it asks exactly once. This has been reported as issue SSHD-850 upstream.[1] [1] https://issues.apache.org/jira/browse/SSHD-850 Bug: 520927 Change-Id: I390ffe9e1c52b96d3e8e28fd8edbdc73dde9edb4 Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
6 years ago · 63a87b398f
3 changed files with 23 additions and 0 deletions
--- a/org.eclipse.jgit.ssh.apache/resources/org/eclipse/jgit/internal/transport/sshd/SshdText.properties
+++ b/org.eclipse.jgit.ssh.apache/resources/org/eclipse/jgit/internal/transport/sshd/SshdText.properties
@ -1,6 +1,7 @@
 authenticationCanceled=Authentication canceled: no password
 closeListenerFailed=Ssh session close listener failed
 configInvalidPath=Invalid path in ssh config key {0}: {1}
+configInvalidPositive=Ssh config entry {0} must be a strictly positive number but is ''{1}''
 ftpCloseFailed=Closing the SFTP channel failed
 gssapiFailure=GSS-API error for mechanism OID {0}
 gssapiInitFailure=GSS-API initialization failure for mechanism {0}
--- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitSshClient.java
+++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitSshClient.java
@ -43,6 +43,7 @@
 package org.eclipse.jgit.internal.transport.sshd;

 import static java.text.MessageFormat.format;
+import static org.eclipse.jgit.internal.transport.ssh.OpenSshConfigFile.positive;

 import java.io.IOException;
 import java.net.InetSocketAddress;
@ -183,6 +184,9 @@ public class JGitSshClient extends SshClient {
 		if (session.getCredentialsProvider() == null) {
 			session.setCredentialsProvider(getCredentialsProvider());
 		}
+		int numberOfPasswordPrompts = getNumberOfPasswordPrompts(hostConfig);
+		session.getProperties().put(PASSWORD_PROMPTS,
+				Integer.valueOf(numberOfPasswordPrompts));
 		FileKeyPairProvider ourConfiguredKeysProvider = null;
 		List<Path> identities = hostConfig.getIdentities().stream()
 				.map(s -> {
@ -213,6 +217,23 @@ public class JGitSshClient extends SshClient {
 		return session;
 	}

+	private int getNumberOfPasswordPrompts(HostConfigEntry hostConfig) {
+		String prompts = hostConfig
+				.getProperty(SshConstants.NUMBER_OF_PASSWORD_PROMPTS);
+		if (prompts != null) {
+			prompts = prompts.trim();
+			int value = positive(prompts);
+			if (value > 0) {
+				return value;
+			}
+			log.warn(format(SshdText.get().configInvalidPositive,
+					SshConstants.NUMBER_OF_PASSWORD_PROMPTS, prompts));
+		}
+		// Default for NumberOfPasswordPrompts according to
+		// https://man.openbsd.org/ssh_config
+		return 3;
+	}
+
 	/**
 	 * Set a cache for loaded keys. Newly discovered keys will be added when
 	 * IdentityFile host entries from the ssh config file are used during
--- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/SshdText.java
+++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/SshdText.java
@ -21,6 +21,7 @@ public final class SshdText extends TranslationBundle {
 	/***/ public String authenticationCanceled;
 	/***/ public String closeListenerFailed;
 	/***/ public String configInvalidPath;
+	/***/ public String configInvalidPositive;
 	/***/ public String ftpCloseFailed;
 	/***/ public String gssapiFailure;
 	/***/ public String gssapiInitFailure;