mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Guillaume Nodet (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SSHD-300) Double public key authentication
Date Sat, 15 Mar 2014 10:29:43 GMT

    [ https://issues.apache.org/jira/browse/SSHD-300?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13936121#comment-13936121
] 

Guillaume Nodet commented on SSHD-300:
--------------------------------------

The reason for this behavior is that openssh client sends two requests, one without a key
signature to verify that the public key is acceptable and the second one with the signature
after having loaded the private key and signed some data for actual verification.
It should be possible to add a caching layer in UserAuthPublicKey so that the result of the
PublickeyAuthenticator#authenticate is cached for a given public key, though I'm not sure
this is a good idea to do that always from a security point of view (caching is usually a
bad idea in security afaik). 

> Double public key authentication
> --------------------------------
>
>                 Key: SSHD-300
>                 URL: https://issues.apache.org/jira/browse/SSHD-300
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 0.10.1
>            Reporter: David Ostrovsky
>            Priority: Minor
>         Attachments: 0001-Add-single-public-key-auth-unit-test.patch
>
>
> PublickeyAuthenticator.authenticate() method is called twice, even though the first call
of this method already authenticated the user and returned true.
> This is a preformance issue, as server may need to hit database/caches to retrieve the
list of  public key(s) for the user to preform the check against.
> Or the authenticate() implementation needs to be adjusted to preform the check that the
user was alreay authenticated.
> Reproducer patch is attaced. The problem only occurs when the test is called from open
SSH client. Own SSHD's client works as expected.
> To reproduce, start the attached unit test as Java application, and issue the command:
>   ssh localhost -p 29418 -l joe
> [1] https://gerrit-review.googlesource.com/55193
>   



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message