mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Guillaume Nodet (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SSHD-372) Server doesn't reject connections that don't send client identification, has to time out
Date Wed, 11 Feb 2015 16:40:12 GMT

    [ https://issues.apache.org/jira/browse/SSHD-372?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14316491#comment-14316491
] 

Guillaume Nodet commented on SSHD-372:
--------------------------------------

The spec also says:

   The server MAY send other lines of data before sending the version
   string.  Each line SHOULD be terminated by a Carriage Return and Line
   Feed.  Such lines MUST NOT begin with "SSH-", and SHOULD be encoded
   in ISO-10646 UTF-8 [RFC3629] (language is not specified).  Clients
   MUST be able to process such lines.  Such lines MAY be silently
   ignored, or MAY be displayed to the client user.  If they are
   displayed, control character filtering, as discussed in [SSH-ARCH],
   SHOULD be used.  The primary use of this feature is to allow TCP-
   wrappers to display an error message before disconnecting.

That's why the code is written this way.  But this only apply to the client side, so i'll
enhance the server to fail fast.

> Server doesn't reject connections that don't send client identification, has to time
out
> ----------------------------------------------------------------------------------------
>
>                 Key: SSHD-372
>                 URL: https://issues.apache.org/jira/browse/SSHD-372
>             Project: MINA SSHD
>          Issue Type: Improvement
>    Affects Versions: 0.14.0
>            Reporter: Robin Stocker
>            Assignee: Guillaume Nodet
>             Fix For: 0.14.0
>
>
> Given a client that incorrectly tries to connect to Mina SSHD using HTTP (such as a Git
client using an incorrect remote URL), Mina SSHD is much less strict than OpenSSH.
> OpenSSH immediately closes the connection:
> {noformat}
> $ curl -v http://127.0.0.1:4722/                             
> * Hostname was NOT found in DNS cache
> *   Trying 127.0.0.1...
> * Connected to 127.0.0.1 (127.0.0.1) port 4722 (#0)
> > GET / HTTP/1.1
> > User-Agent: curl/7.37.1
> > Host: 127.0.0.1:4722
> > Accept: */*
> > 
> SSH-2.0-OpenSSH_6.6.1
> Protocol mismatch.
> * Connection #0 to host 127.0.0.1 left intact
> $
> {noformat}
> Mina SSHD (master) waits for further input, and the connection is only closed when the
auth timeout is reached (2 minutes currently):
> {noformat}
> $ curl -v http://127.0.0.1:51328/
> * Hostname was NOT found in DNS cache
> *   Trying 127.0.0.1...
> * Connected to 127.0.0.1 (127.0.0.1) port 51328 (#0)
> > GET / HTTP/1.1
> > User-Agent: curl/7.37.1
> > Host: 127.0.0.1:51328
> > Accept: */*
> > 
> SSH-2.0-SSHD-CORE-0.13.1-SNAPSHOT
> {noformat}
> (In 0.9, there was also a bug that caused the auth timeout to never be triggered, but
that seems to have been fixed in 0.10 due to the work on SSHD-282.)
> The code for this is in {{AbstractSession#doReadIdentification}}. I'm not sure if it
should be as strict as OpenSSH ([which only looks at the first line|https://github.com/openssh/openssh-portable/blob/146218ac11a1eb0dcade6f793d7acdef163b5ddc/sshd.c#L472]),
but maybe it would be worth to make this configurable.
> A workaround is possible by providing a custom {{SessionFactory}} and {{ServerSession}}
and overriding {{doReadIdentification}}.
> For background, see this Stash issue: https://jira.atlassian.com/browse/STASH-5480



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message