mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Guillaume Nodet (JIRA)" <j...@apache.org>
Subject [jira] [Assigned] (SSHD-372) Server doesn't reject connections that don't send client identification, has to time out
Date Wed, 11 Feb 2015 16:34:13 GMT

     [ https://issues.apache.org/jira/browse/SSHD-372?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Guillaume Nodet reassigned SSHD-372:
------------------------------------

    Assignee: Guillaume Nodet

> Server doesn't reject connections that don't send client identification, has to time
out
> ----------------------------------------------------------------------------------------
>
>                 Key: SSHD-372
>                 URL: https://issues.apache.org/jira/browse/SSHD-372
>             Project: MINA SSHD
>          Issue Type: Improvement
>    Affects Versions: 0.14.0
>            Reporter: Robin Stocker
>            Assignee: Guillaume Nodet
>
> Given a client that incorrectly tries to connect to Mina SSHD using HTTP (such as a Git
client using an incorrect remote URL), Mina SSHD is much less strict than OpenSSH.
> OpenSSH immediately closes the connection:
> {noformat}
> $ curl -v http://127.0.0.1:4722/                             
> * Hostname was NOT found in DNS cache
> *   Trying 127.0.0.1...
> * Connected to 127.0.0.1 (127.0.0.1) port 4722 (#0)
> > GET / HTTP/1.1
> > User-Agent: curl/7.37.1
> > Host: 127.0.0.1:4722
> > Accept: */*
> > 
> SSH-2.0-OpenSSH_6.6.1
> Protocol mismatch.
> * Connection #0 to host 127.0.0.1 left intact
> $
> {noformat}
> Mina SSHD (master) waits for further input, and the connection is only closed when the
auth timeout is reached (2 minutes currently):
> {noformat}
> $ curl -v http://127.0.0.1:51328/
> * Hostname was NOT found in DNS cache
> *   Trying 127.0.0.1...
> * Connected to 127.0.0.1 (127.0.0.1) port 51328 (#0)
> > GET / HTTP/1.1
> > User-Agent: curl/7.37.1
> > Host: 127.0.0.1:51328
> > Accept: */*
> > 
> SSH-2.0-SSHD-CORE-0.13.1-SNAPSHOT
> {noformat}
> (In 0.9, there was also a bug that caused the auth timeout to never be triggered, but
that seems to have been fixed in 0.10 due to the work on SSHD-282.)
> The code for this is in {{AbstractSession#doReadIdentification}}. I'm not sure if it
should be as strict as OpenSSH ([which only looks at the first line|https://github.com/openssh/openssh-portable/blob/146218ac11a1eb0dcade6f793d7acdef163b5ddc/sshd.c#L472]),
but maybe it would be worth to make this configurable.
> A workaround is possible by providing a custom {{SessionFactory}} and {{ServerSession}}
and overriding {{doReadIdentification}}.
> For background, see this Stash issue: https://jira.atlassian.com/browse/STASH-5480



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message