Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Retry partial authentication with all remaining auth methods (Fixes #812) #820

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

hierynomus
Copy link
Owner

No description provided.

Signed-off-by: Jeroen van Erp <[email protected]>
@codecov-commenter
Copy link

codecov-commenter commented Sep 24, 2022

Codecov Report

Merging #820 (d7dd73b) into master (6e7fb96) will decrease coverage by 0.01%.
The diff coverage is 59.09%.

@@             Coverage Diff              @@
##             master     #820      +/-   ##
============================================
- Coverage     64.84%   64.83%   -0.02%     
- Complexity     1467     1468       +1     
============================================
  Files           210      211       +1     
  Lines          8537     8553      +16     
  Branches        781      785       +4     
============================================
+ Hits           5536     5545       +9     
- Misses         2592     2597       +5     
- Partials        409      411       +2     
Impacted Files Coverage Δ
src/main/java/net/schmizz/sshj/SSHClient.java 58.60% <50.00%> (-1.06%) ⬇️
...n/java/net/schmizz/sshj/userauth/UserAuthImpl.java 77.19% <50.00%> (-4.63%) ⬇️
...ain/java/net/schmizz/sshj/userauth/AuthResult.java 100.00% <100.00%> (ø)
.../main/java/net/schmizz/sshj/sftp/PacketReader.java 95.74% <0.00%> (+4.25%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

} else if (result == AuthResult.PARTIAL) {
// Put all remaining methods in the tried list, so that we can try them for the second round of authentication
while (it.hasNext()) {
tried.add(it.next());
Copy link
Contributor

@vladimirlagunov vladimirlagunov Sep 26, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suppose there are three keys loaded on the client: A, B, C. Also, suppose that the server knows only keys B and C, and requires both keys to be provided by the client. (-o AuthenticationMethods=publickey,publickey)

If I understand this code correctly, the authentication flow would work like this:

  • SSHJ sends the public key A.
  • The server responds "failure".
  • SSHJ adds the public key A to tried.
  • SSHJ sends public key B.
  • The server responds "partial".
  • SSHJ adds the last public key C to tried and invokes authentication recursively.
  • SSHJ sends public key A again. It's definitely known that the server doesn't accept this key, because it already refused it.
  • The server expectedly responds "failure".
  • SSHJ sends the public key C.
  • The server responds "success".

It becomes a severe problem for users who have dozens of keys, mostly coming from SSH agent. Also, it becomes a problem with paranoidal servers that have a small MaxAuthTries.

Instead, OpenSSH has a special workaround for public keys. It takes the keys from a round-robin collection, so definitely unacceptable keys are not re-sent again and again.

@vladimirlagunov
Copy link
Contributor

I can backport some of our changes with plenty of tests, though they're in Kotlin, which would require time for complete rewriting to Java.

@jamespowenjr
Copy link

Sorry for taking so long to get to this. I tested this branch with nifi and unfortunately I still get the same error of "net.schmizz.sshj.userauth.UserAuthException: Exhausted available authentication methods" when the order is backwards from how the AuthMethods are added to the client.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants