mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Guillaume Nodet (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SSHD-300) Double public key authentication
Date Sat, 15 Mar 2014 23:12:42 GMT

    [ https://issues.apache.org/jira/browse/SSHD-300?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13936335#comment-13936335

Guillaume Nodet commented on SSHD-300:

The patch isn't correct as the client could send several requests with different keys and
the second key would simply be acknowledge without any verification.
What you need is a PublickeyAuthenticator that would cache the key verification for a given
session and delegate to the real one.  The result could be stored in a map indexed by the
session and the map would be cleared when the session is closed (this can be done by adding
a listener to the session).
Here's one which seems to work, though I haven't committed yet:
public class CachingPublicKeyAuthenticator implements PublickeyAuthenticator, SessionListener

    private final PublickeyAuthenticator authenticator;
    private final Map<ServerSession, Map<PublicKey, Boolean>> cache = new ConcurrentHashMap<ServerSession,
Map<PublicKey, Boolean>>();

    public CachingPublicKeyAuthenticator(PublickeyAuthenticator authenticator) {
        this.authenticator = authenticator;

    public boolean authenticate(String username, PublicKey key, ServerSession session) {
        Map<PublicKey, Boolean> map = cache.get(session);
        if (map == null) {
            map = new HashMap<PublicKey, Boolean>();
            cache.put(session, map);
        if (map.containsKey(key)) {
            return map.get(key);
        boolean result = authenticator.authenticate(username, key, session);
        map.put(key, result);
        return result;

    public void sessionCreated(Session session) {

    public void sessionEvent(Session sesssion, Event event) {

    public void sessionClosed(Session session) {

> Double public key authentication
> --------------------------------
>                 Key: SSHD-300
>                 URL: https://issues.apache.org/jira/browse/SSHD-300
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 0.10.1
>            Reporter: David Ostrovsky
>            Priority: Minor
>         Attachments: 0001-SSHD-300-Prevent-double-public-key-authentication.patch
> PublickeyAuthenticator.authenticate() method is called twice, even though the first call
of this method already authenticated the user and returned true.
> This is a preformance issue, as server may need to hit database/caches to retrieve the
list of  public key(s) for the user to preform the check against.
> Or the authenticate() implementation needs to be adjusted to preform the check that the
user was alreay authenticated.
> Reproducer patch is attaced. The problem only occurs when the test is called from open
SSH client. Own SSHD's client works as expected.
> To reproduce, start the attached unit test as Java application, and issue the command:
>   ssh localhost -p 29418 -l joe
> [1] https://gerrit-review.googlesource.com/55193

This message was sent by Atlassian JIRA

View raw message