mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robin Stocker (JIRA)" <j...@apache.org>
Subject [jira] [Created] (SSHD-372) Server doesn't reject connections that don't send client identification, has to time out
Date Thu, 20 Nov 2014 09:27:34 GMT
Robin Stocker created SSHD-372:
----------------------------------

             Summary: Server doesn't reject connections that don't send client identification,
has to time out
                 Key: SSHD-372
                 URL: https://issues.apache.org/jira/browse/SSHD-372
             Project: MINA SSHD
          Issue Type: Improvement
    Affects Versions: 0.14.0
            Reporter: Robin Stocker


Given a client that incorrectly tries to connect to Mina SSHD using HTTP (such as a Git client
using an incorrect remote URL), Mina SSHD is much less strict than OpenSSH.

OpenSSH immediately closes the connection:

{noformat}
$ curl -v http://127.0.0.1:4722/                             
* Hostname was NOT found in DNS cache
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 4722 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.37.1
> Host: 127.0.0.1:4722
> Accept: */*
> 
SSH-2.0-OpenSSH_6.6.1
Protocol mismatch.
* Connection #0 to host 127.0.0.1 left intact
$
{noformat}

Mina SSHD (master) waits for further input, and the connection is only closed when the auth
timeout is reached (2 minutes currently):

{noformat}
$ curl -v http://127.0.0.1:51328/
* Hostname was NOT found in DNS cache
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 51328 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.37.1
> Host: 127.0.0.1:51328
> Accept: */*
> 
SSH-2.0-SSHD-CORE-0.13.1-SNAPSHOT
{noformat}

(In 0.9, there was also a bug that caused the auth timeout to never be triggered, but that
seems to have been fixed in 0.10 due to the work on SSHD-282.)

The code for this is in {{AbstractSession#doReadIdentification}}. I'm not sure if it should
be as strict as OpenSSH ([which only looks at the first line|https://github.com/openssh/openssh-portable/blob/146218ac11a1eb0dcade6f793d7acdef163b5ddc/sshd.c#L472]),
but maybe it would be worth to make this configurable.

A workaround is possible by providing a custom {{SessionFactory}} and {{ServerSession}} and
overriding {{doReadIdentification}}.

For background, see this Stash issue: https://jira.atlassian.com/browse/STASH-5480



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message