Google Git
Sign in
gerrit / jgit / db4f7dffb78113a6ba7bea35f7a27b6260e31646^! / .
commitdb4f7dffb78113a6ba7bea35f7a27b6260e31646[log] [tgz]
authorThomas Wolf <thomas.wolf@paranor.ch>Thu Jun 23 12:14:37 2022 +0200
committerThomas Wolf <thomas.wolf@paranor.ch>Thu Jun 23 12:14:37 2022 +0200
treebd23122b723974a53b7cf28f0cc557ff61db1052
parent0c32889ebcc61845765514fee56d6641bd91b542 [diff]
[sshd] Correct signature for RSA keys from an SSH agent

Ensure that there is always a list of signature factories in public key
authentication. For keys loaded directly, Apache MINA sshd will use the
(always set) list from the SSH session by default, but for keys from an
SSH agent it won't and instead consider the list set locally on the
UserAuthPublicKey instance. Only that one is null by default, and then
Apache MINA sshd just uses the key type as signature type. Which for
RSA keys from an agent is the "ssh-rsa" signature, i.e., the deprecated
SHA1 signature.

Fix this by explicitly propagating the list from the session to the
UserAuthPublicKey instance if not set already.

Upstream issue is SSHD-1272.[1]

[1] https://issues.apache.org/jira/browse/SSHD-1272

Bug: 580073
Change-Id: Id7a783f19d06c9e7c8494b1fbf7465d392ffc366
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java
index 96da0cc..e1036c6 100644
--- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java
+++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2018, 2021 Thomas Wolf <thomas.wolf@paranor.ch> and others
+ * Copyright (C) 2018, 2022 Thomas Wolf <thomas.wolf@paranor.ch> and others
  *
  * This program and the accompanying materials are made available under the
  * terms of the Eclipse Distribution License v. 1.0 which is available at
@@ -99,13 +99,18 @@
 					log.debug(PUBKEY_ACCEPTED_ALGORITHMS + ' ' + signatures);
 				}
 				setSignatureFactoriesNames(signatures);
-			} else {
-				log.warn(format(SshdText.get().configNoKnownAlgorithms,
-						PUBKEY_ACCEPTED_ALGORITHMS, pubkeyAlgos));
+				super.init(session, service);
+				return;
 			}
+			log.warn(format(SshdText.get().configNoKnownAlgorithms,
+					PUBKEY_ACCEPTED_ALGORITHMS, pubkeyAlgos));
 		}
-		// If we don't set signature factories here, the default ones from the
-		// session will be used.
+		// TODO: remove this once we're on an sshd version that has SSHD-1272
+		// fixed
+		List<NamedFactory<Signature>> localFactories = getSignatureFactories();
+		if (localFactories == null || localFactories.isEmpty()) {
+			setSignatureFactoriesNames(session.getSignatureFactoriesNames());
+		}
 		super.init(session, service);
 	}