Tree:
097f01bfb6
master
next
stable-0.10
stable-0.11
stable-0.12
stable-0.7
stable-0.8
stable-0.9
stable-1.0
stable-1.1
stable-1.2
stable-1.3
stable-2.0
stable-2.1
stable-2.2
stable-2.3
stable-3.0
stable-3.1
stable-3.2
stable-3.3
stable-3.4
stable-3.5
stable-3.6
stable-3.7
stable-4.0
stable-4.1
stable-4.10
stable-4.11
stable-4.2
stable-4.3
stable-4.4
stable-4.5
stable-4.6
stable-4.7
stable-4.8
stable-4.9
stable-5.0
stable-5.1
stable-5.2
stable-5.3
stable-5.4
stable-5.5
stable-5.6
stable-5.7
stable-5.8
spearce-gpg-pub
v0.10.1
v0.11.1
v0.11.3
v0.12.1
v0.7.0
v0.7.1
v0.8.1
v0.8.4
v0.9.1
v0.9.3
v1.0.0.201106011211-rc3
v1.0.0.201106051725-r
v1.0.0.201106071701-r
v1.0.0.201106081625-r
v1.0.0.201106090707-r
v1.1.0.201109011030-rc2
v1.1.0.201109071825-rc3
v1.1.0.201109151100-r
v1.2.0.201112221803-r
v1.3.0.201202121842-rc4
v1.3.0.201202151440-r
v2.0.0.201206130900-r
v2.1.0.201209190230-r
v2.2.0.201212191850-r
v2.3.0.201302130906
v2.3.1.201302201838-r
v3.0.0.201305080800-m7
v3.0.0.201305281830-rc2
v3.0.0.201306040240-rc3
v3.0.0.201306101825-r
v3.0.2.201309041250-rc2
v3.0.2.201311090911-r
v3.0.3.201309161630-r
v3.1.0.201309270735-rc1
v3.1.0.201310021548-r
v3.2.0.201311130903-m3
v3.2.0.201312181205-r
v3.3.0.201402191814-rc1
v3.3.0.201403021825-r
v3.3.1.201403241930-r
v3.3.2.201404171909-r
v3.4.0.201405051725-m7
v3.4.0.201405211411-rc1
v3.4.0.201405281120-rc2
v3.4.0.201406041058-rc3
v3.4.0.201406110918-r
v3.4.1.201406201815-r
v3.4.2.201412180340-r
v3.5.0.201409071800-rc1
v3.5.0.201409260305-r
v3.5.1.201410131835-r
v3.5.2.201411120430-r
v3.5.3.201412180710-r
v3.6.0.201411121045-m1
v3.6.0.201412230720-r
v3.6.1.201501031845-r
v3.6.2.201501210735-r
v3.7.0.201502031740-rc1
v3.7.0.201502260915-r
v3.7.1.201504261725-r
v4.0.0.201503231230-m1
v4.0.0.201505050340-m2
v4.0.0.201505191015-rc1
v4.0.0.201505260635-rc2
v4.0.0.201506020755-rc3
v4.0.0.201506090130-r
v4.0.1.201506240215-r
v4.1.0.201509280440-r
v4.1.1.201511131810-r
v4.1.2.201602141800-r
v4.10.0.201712302008-r
v4.11.0.201803080745-r
v4.11.1.201807311124-r
v4.11.2.201809100523-r
v4.11.3.201809181037-r
v4.11.4.201810060650-r
v4.11.5.201810191925-r
v4.11.6.201812241910-r
v4.11.7.201903122105-r
v4.11.8.201904181247-r
v4.11.9.201909030838-r
v4.2.0.201511101648-m1
v4.2.0.201601211800-r
v4.3.0.201603230630-rc1
v4.3.0.201604071810-r
v4.3.1.201605051710-r
v4.4.0.201605041135-m1
v4.4.0.201605250940-rc1
v4.4.0.201606011500-rc2
v4.4.0.201606070830-r
v4.4.1.201607150455-r
v4.5.0.201609210915-r
v4.5.1.201703201650-r
v4.5.2.201704071617-r
v4.5.3.201708160445-r
v4.5.4.201711221230-r
v4.5.5.201812240535-r
v4.5.6.201903121547-r
v4.5.7.201904151645-r
v4.6.0.201612231935-r
v4.6.1.201703071140-r
v4.7.0.201704051617-r
v4.7.1.201706071930-r
v4.7.2.201807261330-r
v4.7.3.201809090215-r
v4.7.4.201809180905-r
v4.7.5.201810051826-r
v4.7.6.201810191618-r
v4.7.7.201812240805-r
v4.7.8.201903121755-r
v4.7.9.201904161809-r
v4.8.0.201705170830-rc1
v4.8.0.201706111038-r
v4.9.0.201710071750-r
v4.9.1.201712030800-r
v4.9.10.201904181027-r
v4.9.2.201712150930-r
v4.9.3.201807311005-r
v4.9.4.201809090327-r
v4.9.5.201809180939-r
v4.9.6.201810051924-r
v4.9.7.201810191756-r
v4.9.8.201812241815-r
v4.9.9.201903122025-r
v5.0.0.201805151920-m7
v5.0.0.201805221745-rc1
v5.0.0.201805301535-rc2
v5.0.0.201806050710-rc3
v5.0.0.201806131550-r
v5.0.1.201806211838-r
v5.0.2.201807311906-r
v5.0.3.201809091024-r
v5.1.0.201808281540-m3
v5.1.0.201809051400-rc1
v5.1.0.201809111528-r
v5.1.1.201809181055-r
v5.1.10.201908230655-r
v5.1.11.201909031202-r
v5.1.12.201910011832-r
v5.1.13.202002110435-r
v5.1.2.201810061102-r
v5.1.3.201810200350-r
v5.1.4.201812251853-r
v5.1.5.201812261915-r
v5.1.6.201903130242-r
v5.1.7.201904200442-r
v5.1.8.201906050907-r
v5.1.9.201908210455-r
v5.2.0.201811281532-m3
v5.2.0.201812061821-r
v5.2.1.201812262042-r
v5.3.0.201901161700-m1
v5.3.0.201901162155-m1
v5.3.0.201903061415-rc1
v5.3.0.201903130848-r
v5.3.1.201904271842-r
v5.3.2.201906051522-r
v5.3.3.201908210735-r
v5.3.4.201908231101-r
v5.3.5.201909031855-r
v5.3.6.201910020505-r
v5.3.7.202002110540-r
v5.4.0.201905081430-m2
v5.4.0.201905221418-m3
v5.4.0.201906121030-r
v5.4.1.201908211225-r
v5.4.2.201908231537-r
v5.4.3.201909031940-r
v5.5.0.201908280940-m3
v5.5.0.201909041048-rc1
v5.5.0.201909110433-r
v5.5.1.201910021850-r
v5.6.0.201911271000-m3
v5.6.0.201912041214-rc1
v5.6.0.201912101111-r
v5.6.1.202002131546-r
v5.7.0.202001151323-m1
v5.7.0.202002241735-m3
v5.7.0.202003090808-r
v5.7.0.202003110725-r
v5.8.0.202005061305-m2
v5.8.0.202006091008-r
v5.8.1.202007141445-r
${ noResults }
10 Commits (097f01bfb65dd8f7b3d562bbd1713ecf4be5675e)
Author | SHA1 | Message | Date |
---|---|---|---|
Matthias Sohn | 8d2d683655 |
Decouple JSch from JGit Core
Motivation: JSch serves as 'default' implementations of the SSH transport. If a client application does not use it then there is no need to pull in this dependency. Move the classes depending on JSch to an OSGi fragment extending the org.eclipse.jgit bundle and keep them in the same package as before since moving them to another package would break API. Defer moving them to a separate package to the next major release. Add a new feature org.eclipse.jgit.ssh.jsch feature to enable installation. With that users can now decide which of the ssh client integrations (JCraft JSch or Apache Mina SSHD) they want to install. We will remove the JCraft JSch integration in a later step due to the reasons discussed in bug 520927. Bug: 553625 Change-Id: I5979c8a9dbbe878a2e8ac0fbfde7230059d74dc2 Also-by: Michael Dardis <git@md-5.net> Signed-off-by: Michael Dardis <git@md-5.net> Signed-off-by: Matthias Sohn <matthias.sohn@sap.com> Signed-off-by: David Ostrovsky <david@ostrovsky.org> |
5 years ago |
Thomas Wolf | b8a514fdcb |
sshd: correct the protocol version exchange
RFC 4253 section 4.2 allows an ssh server to send additional lines before its server identification string. Apache MINA sshd enforces for these lines the constraints specified for the server identification line, too: no NUL characters and not longer than 255 characters. That is too strict. RFC 4253 doesn't mandate this, and it also doesn't make sense given the rationale for these lines in RFC 4253: a TCP wrapper may not be aware of SSH restrictions, and may not adhere to these constraints. Be more lenient when parsing the server's protocol version. Allow NULs and longer lines in the preamble, and also handle line endings more leniently. Only enforce the restrictions for the actual server identification line. Bug: 545939 Change-Id: I75955e9d8a8daef7c04fc0f39539c2ee93514e1c Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch> |
5 years ago |
Thomas Wolf | 5663b67575 |
Apache MINA sshd client: less aggressive key file name caching
Don't use the ~/.ssh directory as cache key for the key provider but the configured paths of the default keys. Otherwise changes in that list of paths are not picked up. This is in particular a problem for EGit, where the user can modify this list of keys interactively in the preferences. Without this change, Eclipse needs to be restarted to pick up such changes. Bug: 542845 Change-Id: I63432fb10729a90b3c5e14f13e39bf482aef811b Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch> |
6 years ago |
Thomas Wolf | 00b235f0b8 |
Apache MINA sshd client: test & fix password authentication
Add tests for password and keyboard-interactive authentication. Implement password authentication; the default provided by sshd is non-interactive, which is not useful for JGit. Make sure the CredentialsProvider gets reset on successive password retrieval attempts. Otherwise it might always return the same non- accepted password from a secure storage. (That one was discovered by actually trying this via EGit; the JGit tests don't catch this.) Change the default order of authentication mechanisms to prefer password over keyboard-interactive. This is a mitigation for upstream bug SSHD-866.[1] Also include a fix for upstream bug SSHD-867.[2] [1] https://issues.apache.org/jira/projects/SSHD/issues/SSHD-866 [2] https://issues.apache.org/jira/projects/SSHD/issues/SSHD-867 Bug: 520927 Change-Id: I423e548f06d3b51531016cf08938c8bd7acaa2a9 Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch> |
6 years ago |
Thomas Wolf | 6c14d273fa |
Apache MINA sshd client: proxy support
This is not about the ssh config ProxyCommand but about programmatic support for HTTP and SOCKS5 proxies. Eclipse allows the user to specify such proxies, and JSch at least contains code to connect through proxies. So our Apache MINA sshd client also should be able to do this. Add interfaces and provide two implementations for HTTP and SOCKS5 proxies. Adapt the core code to be able to deal with proxy connections at all. The built-in client-side support for this in sshd 2.0.0 is woefully inadequate. Tested manually by running proxies and then fetching various real- world repositories via these proxies from different servers. Proxies tested: ssh -D (SOCKS, anonymous), tinyproxy (HTTP, anonymous), and 3proxy (SOCKS & HTTP, username-password authentication). The GSS-API authentication is untested since I have no Kerberos setup. Bug: 520927 Change-Id: I1a5c34687d439b3ef8373c5d58e24004f93e63ae Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch> |
6 years ago |
Thomas Wolf | c56fa51709 |
Apache MINA sshd: use NumberOfPasswordPrompts for encrypted keys
sshd only asks exactly once for the password. C.f. upstream issue SSHD-850.[1] So we have to work around this limitation for now. Once we move to sshd > 2.1.0, this can be simplified somewhat. [1] https://issues.apache.org/jira/browse/SSHD-850 Bug: 520927 Change-Id: Id65650228486c5ed30affa9c62eac982e01ae207 Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch> |
6 years ago |
Thomas Wolf | ec1116627f |
Apache MINA sshd client: properly handle HostKeyAlgorithms config
By default sshd will use its default built-in list, which matches the one of openssh (as far as the algorithms exist in sshd at all). But it doesn't handle HostKeyAlgorithms from the ssh config at all. Implement this as in openssh, including the '+' and '-' modifiers and reordering the default if there are known host keys for a server already. Add tests for the reordering. Also use a more robust reader for the known hosts file. The default aborts on the first error. Bug: 520927 Change-Id: Ib1684440bfe2e96140536aa1a93c4bd4a0d35916 Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch> |
6 years ago |
Thomas Wolf | 63a87b398f |
Apache MINA sshd client: respect NumberOfPasswordPrompts
Set the internal property on the session as defined in the ssh config. Note that NumberOfPasswordPrompts in openssh applies independently to both user logins in keyboard-interactive authentication _and_ to passphrases for identity files (encrypted keys). Apache MINA sshd uses the setting only for keyboard-interactive authentication, but not for identity file passphrase prompts. For identity files, it asks exactly once. This has been reported as issue SSHD-850 upstream.[1] [1] https://issues.apache.org/jira/browse/SSHD-850 Bug: 520927 Change-Id: I390ffe9e1c52b96d3e8e28fd8edbdc73dde9edb4 Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch> |
6 years ago |
Thomas Wolf | 8001f4c1fe |
Apache MINA sshd client: add gssapi-with-mic authentication
sshd does support gssapi-with-mic on the server side, but has no built-in client-side support for this authentication mechanism. Add our own implementation for it, following RFC 4462.[1] To avoid needlessly re-trying mechanisms that aren't even configured on the client, we disable mechanisms that fail on the very first attempt to use them. Since we have no real Kerberos5 test setup, this cannot be fully tested in CI. The disabling of the authentication mechanism and that it is skipped when not successful _is_ tested. [1] https://www.ietf.org/rfc/rfc4462.txt Bug: 520927 Change-Id: I5d0cdb14103588a57c52f927df541b589ab88d88 Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch> |
6 years ago |
Thomas Wolf | 488d95571f |
Apache MINA sshd client
Add a new ssh client implementation based on Apach MINA sshd 2.0.0. This implementation uses JGit's own config file parser and host entry resolver. Code inspection of the Apache MINA implementation revealed a few bugs or idiosyncrasies that immediately would re-introduce bugs already fixed in the past in JGit. Apache MINA sshd is not without quirks either, and I had to configure and override more than I had expected. But at least it was all doable in clean ways. Apache MINA boasts support for Bouncy Castle, so in theory this should open the way to using more ssh key algorithms, such as ed25519. The implementation is in a separate bundle and is still not used in the core org.eclipse.jgit bundle. The tests re-use the ssh tests from the core test bundle. Bug: 520927 Change-Id: Ib35e73c35799140fe050d1ff4fb18d0d3596580e Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch> |
6 years ago |