From 63a87b398ff67584069ab8cf6a17824f009a7102 Mon Sep 17 00:00:00 2001 From: Thomas Wolf Date: Wed, 3 Oct 2018 08:27:40 +0200 Subject: [PATCH] Apache MINA sshd client: respect NumberOfPasswordPrompts Set the internal property on the session as defined in the ssh config. Note that NumberOfPasswordPrompts in openssh applies independently to both user logins in keyboard-interactive authentication _and_ to passphrases for identity files (encrypted keys). Apache MINA sshd uses the setting only for keyboard-interactive authentication, but not for identity file passphrase prompts. For identity files, it asks exactly once. This has been reported as issue SSHD-850 upstream.[1] [1] https://issues.apache.org/jira/browse/SSHD-850 Bug: 520927 Change-Id: I390ffe9e1c52b96d3e8e28fd8edbdc73dde9edb4 Signed-off-by: Thomas Wolf --- .../transport/sshd/SshdText.properties | 1 + .../transport/sshd/JGitSshClient.java | 21 +++++++++++++++++++ .../internal/transport/sshd/SshdText.java | 1 + 3 files changed, 23 insertions(+) diff --git a/org.eclipse.jgit.ssh.apache/resources/org/eclipse/jgit/internal/transport/sshd/SshdText.properties b/org.eclipse.jgit.ssh.apache/resources/org/eclipse/jgit/internal/transport/sshd/SshdText.properties index 963e3d95f..0dc8ecc9a 100644 --- a/org.eclipse.jgit.ssh.apache/resources/org/eclipse/jgit/internal/transport/sshd/SshdText.properties +++ b/org.eclipse.jgit.ssh.apache/resources/org/eclipse/jgit/internal/transport/sshd/SshdText.properties @@ -1,6 +1,7 @@ authenticationCanceled=Authentication canceled: no password closeListenerFailed=Ssh session close listener failed configInvalidPath=Invalid path in ssh config key {0}: {1} +configInvalidPositive=Ssh config entry {0} must be a strictly positive number but is ''{1}'' ftpCloseFailed=Closing the SFTP channel failed gssapiFailure=GSS-API error for mechanism OID {0} gssapiInitFailure=GSS-API initialization failure for mechanism {0} diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitSshClient.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitSshClient.java index 2d8a6361c..36e448623 100644 --- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitSshClient.java +++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitSshClient.java @@ -43,6 +43,7 @@ package org.eclipse.jgit.internal.transport.sshd; import static java.text.MessageFormat.format; +import static org.eclipse.jgit.internal.transport.ssh.OpenSshConfigFile.positive; import java.io.IOException; import java.net.InetSocketAddress; @@ -183,6 +184,9 @@ public class JGitSshClient extends SshClient { if (session.getCredentialsProvider() == null) { session.setCredentialsProvider(getCredentialsProvider()); } + int numberOfPasswordPrompts = getNumberOfPasswordPrompts(hostConfig); + session.getProperties().put(PASSWORD_PROMPTS, + Integer.valueOf(numberOfPasswordPrompts)); FileKeyPairProvider ourConfiguredKeysProvider = null; List identities = hostConfig.getIdentities().stream() .map(s -> { @@ -213,6 +217,23 @@ public class JGitSshClient extends SshClient { return session; } + private int getNumberOfPasswordPrompts(HostConfigEntry hostConfig) { + String prompts = hostConfig + .getProperty(SshConstants.NUMBER_OF_PASSWORD_PROMPTS); + if (prompts != null) { + prompts = prompts.trim(); + int value = positive(prompts); + if (value > 0) { + return value; + } + log.warn(format(SshdText.get().configInvalidPositive, + SshConstants.NUMBER_OF_PASSWORD_PROMPTS, prompts)); + } + // Default for NumberOfPasswordPrompts according to + // https://man.openbsd.org/ssh_config + return 3; + } + /** * Set a cache for loaded keys. Newly discovered keys will be added when * IdentityFile host entries from the ssh config file are used during diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/SshdText.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/SshdText.java index 75f884236..865a8ebaa 100644 --- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/SshdText.java +++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/SshdText.java @@ -21,6 +21,7 @@ public final class SshdText extends TranslationBundle { /***/ public String authenticationCanceled; /***/ public String closeListenerFailed; /***/ public String configInvalidPath; + /***/ public String configInvalidPositive; /***/ public String ftpCloseFailed; /***/ public String gssapiFailure; /***/ public String gssapiInitFailure;