mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Goldstein Lyor (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SSHD-473) PasswordAuthentifikation
Date Thu, 04 Jun 2015 06:15:38 GMT

    [ https://issues.apache.org/jira/browse/SSHD-473?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14572238#comment-14572238
] 

Goldstein Lyor commented on SSHD-473:
-------------------------------------

To put this matter to rest once and for all - below you will find a sample server and client
(I even placed them in the *same* package as your original code) + the results of running
them. Make *sure* your client/server code looks like the samples and that no step has been
missed/skipped. The attached results prove 100% percent that the client authenticates *only*
if you provide the correct credentials - regardless of whether the client is written in _Java_
or off-the-shelf. If that doesn't clear the issue for you nothing will - if your results are
different than this then you are doing something wrong or confusing clients and servers.

h1. The code
{code:title=SampleServer.java}
package org.flowcontrol.uniselflow.web_services.ssh;

import java.io.BufferedReader;
import java.io.File;
import java.io.InputStreamReader;
import java.io.PrintStream;
import java.security.PublicKey;
import java.util.Arrays;
import java.util.EnumSet;
import java.util.Map;

import org.apache.sshd.SshServer;
import org.apache.sshd.common.ForwardingFilter;
import org.apache.sshd.common.NamedFactory;
import org.apache.sshd.common.Session;
import org.apache.sshd.common.SshdSocketAddress;
import org.apache.sshd.common.util.OsUtils;
import org.apache.sshd.common.util.SecurityUtils;
import org.apache.sshd.server.Command;
import org.apache.sshd.server.CommandFactory;
import org.apache.sshd.server.PasswordAuthenticator;
import org.apache.sshd.server.PublickeyAuthenticator;
import org.apache.sshd.server.ServerFactoryManager;
import org.apache.sshd.server.command.ScpCommandFactory;
import org.apache.sshd.server.keyprovider.PEMGeneratorHostKeyProvider;
import org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider;
import org.apache.sshd.server.session.ServerSession;
import org.apache.sshd.server.sftp.SftpSubsystem;
import org.apache.sshd.server.shell.ProcessShellFactory;

/**
 * @author lgoldstein
 * @since Jun 4, 2015 7:25:11 AM
 */
public class SampleServer {
    public static void main(String[] args) {
        SshServer sshd = SshServer.setUpDefaultServer();
        Map<String,String> props = sshd.getProperties();
        props.put(ServerFactoryManager.WELCOME_BANNER, "SSHD-473 issue example for Jochen");

        // If ANY other combination other than this is provided the authentication fails !!!
        final String EXPECTED_USER_NAME="foo", EXPECTED_PASSWORD="bar";
        sshd.setPasswordAuthenticator(new PasswordAuthenticator() {
                @Override
                public boolean authenticate(String username, String password, ServerSession
session) {
                    // NOTE: acceptance/rejection is solely based on the Java code - has NOTHING
to
                    //      do with the O/S users - if want to use the O/S user/password then
you need
                    //      to write your own authenticator. The decision whether to accept/reject
the
                    //      provided username/password relies SOLELY on the return value:
true/false
                    //      (assuming the public-key authenticator always returns FALSE as
is the
                    //      case for this code)
                    boolean accept=EXPECTED_USER_NAME.equals(username) && EXPECTED_PASSWORD.equals(password);
                    PrintStream ps=accept ? System.out : System.err;
                    String action=accept ? "Accepted" : "Rejected";
                    ps.println(action + " user=" + username + ",password=" + password + "
from " + session.getIoSession().getRemoteAddress());
                    return accept;
                }
            });
        sshd.setPublickeyAuthenticator(new PublickeyAuthenticator() {
                @Override   // just to make sure that authentication is not achieved by any
means other than via password
                public boolean authenticate(String username, PublicKey key, ServerSession
session) {
                    System.err.println("Reject public key authentication for " + username
+ " from " + session.getIoSession().getRemoteAddress());
                    return false;
                }
            });

        String cwd=System.getProperty("user.dir");
        if (cwd.charAt(cwd.length() - 1) == File.separatorChar) {
            cwd = cwd.substring(0, cwd.length() - 1);
        }
        // MUST be provided or not encryption can take place
        // if you comment this out the server won't even start...
        if (SecurityUtils.isBouncyCastleRegistered()) {
            sshd.setKeyPairProvider(new PEMGeneratorHostKeyProvider(cwd + File.separator +
"jochen.pem"));
        } else {
            sshd.setKeyPairProvider(new SimpleGeneratorHostKeyProvider(cwd + File.separator
+ "jochen.ser"));
        }

        // comment this out if you don't want to allow remote shell to be run on the local
host
        if (OsUtils.isUNIX()) {
            sshd.setShellFactory(new ProcessShellFactory(new String[] { "/bin/sh", "-i", "-l"
},
                                 EnumSet.of(ProcessShellFactory.TtyOptions.ONlCr)));
        } else {
            sshd.setShellFactory(new ProcessShellFactory(new String[] { "cmd.exe "},
                                 EnumSet.of(ProcessShellFactory.TtyOptions.Echo, ProcessShellFactory.TtyOptions.ICrNl,
ProcessShellFactory.TtyOptions.ONlCr)));
        }
        
        // comment this out if you don't want to allow port forwarding
        sshd.setTcpipForwardingFilter(new ForwardingFilter() {
                @Override
                public boolean canForwardAgent(Session session) {
                    System.out.println("Asked if can forward agent for " + session.getIoSession().getRemoteAddress());
                    return true;
                }
    
                @Override
                public boolean canForwardX11(Session session) {
                    System.out.println("Asked if can forward X11 for " + session.getIoSession().getRemoteAddress());
                    return true;
                }
    
                @Override
                public boolean canListen(SshdSocketAddress address, Session session) {
                    System.out.println("Asked if can listen on " + address + " for " + session.getIoSession().getRemoteAddress());
                    return true;
                }
    
                @Override
                public boolean canConnect(SshdSocketAddress address, Session session) {
                    System.out.println("Asked if can connect on " + address + " for " + session.getIoSession().getRemoteAddress());
                    return true;
                }
            });

        // comment this out if you don't want to allow remote commands or SCP to be run on
the local host
        sshd.setCommandFactory(new ScpCommandFactory(new CommandFactory() {
                @Override
                public Command createCommand(String command) {
                    EnumSet<ProcessShellFactory.TtyOptions> ttyOptions;
                    if (OsUtils.isUNIX()) {
                        ttyOptions = EnumSet.of(ProcessShellFactory.TtyOptions.ONlCr);
                    } else {
                        ttyOptions = EnumSet.of(ProcessShellFactory.TtyOptions.Echo, ProcessShellFactory.TtyOptions.ICrNl,
ProcessShellFactory.TtyOptions.ONlCr);
                    }
                    System.out.println("Run command: " + command);
                    return new ProcessShellFactory(command.split(" "), ttyOptions).create();
                }
            }));
        // comment this out if you don't want to support SFTP
        sshd.setSubsystemFactories(Arrays.<NamedFactory<Command>>asList(new SftpSubsystem.Factory()));

        // or whatever else you like, just make sure you connect to the SAME port from your
client
        sshd.setPort(8000);

        try(BufferedReader stdin=new BufferedReader(new InputStreamReader(System.in))) {
            sshd.start();
            
            // NOTE: MUST have a loop or a long sleep or the server will exit...
            while(true) {
                System.out.print("Listening on port=" + sshd.getPort() + " enter (Q)uit to
stop: ");
                String line=stdin.readLine();
                if (line == null) { // EOF
                    break;
                }
                
                line = line.trim();
                if (line.length() <= 0) {
                    continue;
                }
                
                char ch=line.charAt(0);
                if ((ch == 'q') || (ch == 'Q')) {
                    break;
                }
            }
            
            System.out.println("Stopping...");
            sshd.stop();
            System.out.println("Stopped");
        } catch(Throwable t) {
            t.printStackTrace();
        }
    }
}
{code}
{code:title=SampleClient.java}
package org.flowcontrol.uniselflow.web_services.ssh;

import java.io.BufferedReader;
import java.io.File;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.ArrayList;
import java.util.List;

import org.apache.sshd.ClientChannel;
import org.apache.sshd.ClientSession;
import org.apache.sshd.SshClient;
import org.apache.sshd.client.channel.ChannelShell;
import org.apache.sshd.common.keyprovider.FileKeyPairProvider;
import org.apache.sshd.common.util.NoCloseInputStream;
import org.apache.sshd.common.util.NoCloseOutputStream;
import org.apache.sshd.common.util.SecurityUtils;
import org.bouncycastle.openssl.PasswordFinder;

/**
 * @author lgoldstein
 * @since Jun 4, 2015 8:06:42 AM
 */
public class SampleClient {

    public static void main(String[] args) {
        SshClient client = SshClient.setUpDefaultClient();

        String homePath = System.getProperty("user.home");
        if (homePath.charAt(homePath.length() - 1) == File.separatorChar) {
            homePath = homePath.substring(0, homePath.length() - 1);
        }

        File homeDir = new File(homePath), sshDir = new File(homeDir, ".ssh");
        List<String> files = new ArrayList<String>();
        for (String fileType : new String[] { "rsa", "dsa", "ecdsa" }) {
            File f = new File(sshDir, "/id_" + fileType);
            String filePath = f.getAbsolutePath();
            if (f.exists()) {
                if (f.isFile() && f.canRead()) {
                    files.add(filePath);
                    System.out.println("Found " + filePath);
                } else {
                    System.err.println("Not a file or not readable: " + filePath);
                }
            } else {
                System.out.println("Skip non-existing file: " + filePath);
            }
        }

        if (files.size() <= 0) {
            throw new IllegalStateException("No SSH key files found in " + sshDir.getAbsolutePath());
        }
        
        if (!SecurityUtils.isBouncyCastleRegistered()) {
            throw new IllegalStateException("Need Bouncycastle on the classpath in order to
load the key files");
        }

        try(final BufferedReader stdin=new BufferedReader(new InputStreamReader(System.in)))
{
            client.setKeyPairProvider(new FileKeyPairProvider(files.toArray(new String[files.size()]),
new PasswordFinder() {
                    @Override
                    public char[] getPassword() {
                        try {
                            System.out.println("Enter password for private key: ");
                            String password = stdin.readLine();
                            return password.toCharArray();
                        } catch (IOException e) {
                            return null;
                        }
                    }
                }));
            client.start();

            System.out.print("Username: ");
            String username=stdin.readLine();
            System.out.print("Password: ");
            String password=stdin.readLine();

            // NOTE: change the 'localhost' to some other address if you need to
            // NOTE: change the port (8000) to whatever port you need
            ClientSession session = client.connect(username, "localhost", 8000).await().getSession();
            try {
                System.out.println("Authenticating using password=" + password + " ...");
                // try commenting this out and see what happens (authentication should fail)
                session.addPasswordIdentity(password);
                session.auth().verify();
                System.out.println("Authenticated");

                ClientChannel channel = session.createChannel(ClientChannel.CHANNEL_SHELL);
                try {
                    ((ChannelShell) channel).setAgentForwarding(false);
                    channel.setIn(new NoCloseInputStream(System.in));
                    channel.setOut(new NoCloseOutputStream(System.out));
                    channel.setErr(new NoCloseOutputStream(System.err));
                    System.out.println("Open shell...");
                    channel.open().await();
                } finally {
                    channel.waitFor(ClientChannel.CLOSED, 0);
                    System.out.println("Closing shell...");
                }
            } finally {
                System.out.println("Closing session...");
                session.close(false);
            }
        } catch(Throwable t) {
            t.printStackTrace();
        } finally {
            System.out.println("Stopping...");
            client.stop();
            System.out.println("Stopped");
        }
    }

}
{code}
h1. The results
h2. Using an off-the-shelf SSH command-line client to connect to the sample server
h3. Good user, good password
{panel:title=Client}
{noformat}
C:\Projects\apache\mina-sshd>ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
-p 8000 foo@localhost
Warning: Permanently added '[localhost]:8000' (DSA) to the list of known hosts.
Password authentication
Password: ****
SSHD-473 issue example for JochenMicrosoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
{noformat}
{panel}
{panel:title=Server}
{noformat}
Reject public key authentication for foo from /127.0.0.1:58585
Accepted user=foo,password=bar from /127.0.0.1:58585
[sshd-SshServer[325bb9a6]-nio2-thread-1] INFO org.apache.sshd.server.session.ServerUserAuthService
- Session foo@/127.0.0.1:58585 authenticated
[sshd-SshServer[325bb9a6]-nio2-thread-4] INFO org.apache.sshd.server.shell.ProcessShellFactory
- Starting shell with command: '[cmd.exe ]' ...
{noformat}
{panel}

h3. Good user, bad password ('1234' instead of 'bar')
{panel:title=Client}
{noformat}
C:\Projects\apache\mina-sshd>ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
-p 8000 foo@localhost
Warning: Permanently added '[localhost]:8000' (DSA) to the list of known hosts.
Password authentication
Password: ****
Password authentication
Password: ****
Password authentication
Password: ****
foo@localhost's password: ****
Permission denied, please try again.
foo@localhost's password: ****
Permission denied, please try again.
foo@localhost's password: ****
Permission denied (password,keyboard-interactive,publickey).
{noformat}
{panel}
{panel:title=Server}
{noformat}
Reject public key authentication for foo from /127.0.0.1:59037
Rejected user=foo,password=1234 from /127.0.0.1:59037
Rejected user=foo,password=1234 from /127.0.0.1:59037
Rejected user=foo,password=1234 from /127.0.0.1:59037
Rejected user=foo,password=1234 from /127.0.0.1:59037
Rejected user=foo,password=1234 from /127.0.0.1:59037
Rejected user=foo,password=1234 from /127.0.0.1:59037{noformat}
{panel}

h3. Good password, bad user ('jochen' instead of 'foo')
{panel:title=Client}
{noformat}
C:\Projects\apache\mina-sshd>ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
-p 8000 jochen@localhost
Warning: Permanently added '[localhost]:8000' (DSA) to the list of known hosts.
Password authentication
Password: ****
Password authentication
Password: ****
Password authentication
Password: ****
jochen@localhost's password: ****
Permission denied, please try again.
jochen@localhost's password: ****
Permission denied, please try again.
jochen@localhost's password: ****
Permission denied (password,keyboard-interactive,publickey).
{noformat}
{panel}
{panel:title=Server}
{noformat}
Reject public key authentication for jochen from /127.0.0.1:54785
Rejected user=jochen,password=bar from /127.0.0.1:54785
Rejected user=jochen,password=bar from /127.0.0.1:54785
Rejected user=jochen,password=bar from /127.0.0.1:54785
Rejected user=jochen,password=bar from /127.0.0.1:54785
Rejected user=jochen,password=bar from /127.0.0.1:54785
Rejected user=jochen,password=bar from /127.0.0.1:54785
{noformat}
{panel}

h3. Bad user ('jochen' instead of 'foo'), bad password ('1234' instead of 'bar')
{panel:title=Client}
{noformat}
C:\Projects\apache\mina-sshd>ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
-p 8000 jochen@localhost
Warning: Permanently added '[localhost]:8000' (DSA) to the list of known hosts.
Password authentication
Password: ****
Password authentication
Password: ****
Password authentication
Password: ****
jochen@localhost's password: ****
Permission denied, please try again.
jochen@localhost's password: ****
Permission denied, please try again.
jochen@localhost's password: ****
Permission denied (password,keyboard-interactive,publickey).
{noformat}
{panel}
{panel:title=Server}
{noformat}
Reject public key authentication for jochen from /127.0.0.1:65228
Rejected user=jochen,password=1234 from /127.0.0.1:65228
Rejected user=jochen,password=1234 from /127.0.0.1:65228
Rejected user=jochen,password=1234 from /127.0.0.1:65228
Rejected user=jochen,password=1234 from /127.0.0.1:65228
Rejected user=jochen,password=1234 from /127.0.0.1:65228
Rejected user=jochen,password=1234 from /127.0.0.1:65228
{noformat}
{panel}

h2. Using the _SampleClient_ code

h3. Good user/password - no call to 'session.addPasswordIdentity(password)'}
{panel:title=Client}
{noformat}
    [main] INFO org.apache.sshd.common.util.SecurityUtils - Trying to register BouncyCastle
as a JCE provider
    [main] INFO org.apache.sshd.common.util.SecurityUtils - Registration succeeded
    Found C:\Users\lgoldstein\.ssh\id_rsa
    Skip non-existing file: C:\Users\lgoldstein\.ssh\id_dsa
    Skip non-existing file: C:\Users\lgoldstein\.ssh\id_ecdsa
    Username: foo
    Password: bar
    [sshd-SshClient[4a7761b1]-nio2-thread-1] INFO org.apache.sshd.client.session.ClientSessionImpl
- Client session created
    Authenticating...
    [main] INFO org.apache.sshd.client.session.ClientSessionImpl - Start flagging packets
as pending until key exchange is done
    [sshd-SshClient[4a7761b1]-nio2-thread-4] INFO org.apache.sshd.client.session.ClientSessionImpl
- Server version string: SSH-2.0-SSHD-CORE-0.14.0
    [sshd-SshClient[4a7761b1]-nio2-thread-4] WARN org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier
- Server at localhost/127.0.0.1:8000 presented unverified DSA key: 2a:b8:38:3b:49:d5:e4:ce:07:dd:15:d3:82:13:72:bd
    [sshd-SshClient[4a7761b1]-nio2-thread-5] INFO org.apache.sshd.client.session.ClientSessionImpl
- Dequeing pending packets
    [sshd-SshClient[4a7761b1]-nio2-thread-2] INFO org.apache.sshd.client.session.ClientUserAuthServiceNew
- Received SSH_MSG_USERAUTH_FAILURE
    [sshd-SshClient[4a7761b1]-nio2-thread-5] INFO org.apache.sshd.client.session.ClientUserAuthServiceNew
- Received SSH_MSG_USERAUTH_FAILURE
    [sshd-SshClient[4a7761b1]-nio2-thread-4] INFO org.apache.sshd.client.auth.UserAuthKeyboardInteractive
- Received Password authentication  en-US
    [sshd-SshClient[4a7761b1]-nio2-thread-2] INFO org.apache.sshd.client.auth.UserAuthKeyboardInteractive
- Received Password authentication  en-US
    [sshd-SshClient[4a7761b1]-nio2-thread-1] INFO org.apache.sshd.client.auth.UserAuthKeyboardInteractive
- Received Password authentication  en-US
    Closing session...
    org.apache.sshd.common.SshException: Authentication failed
        at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:44)
        at org.flowcontrol.uniselflow.web_services.ssh.SampleClient.main(SampleClient.java:121)
    Stopping...
    Stopped
{noformat}
{panel}
{panel:title=Server}
{noformat}
    [sshd-SshServer[325bb9a6]-nio2-thread-1] INFO org.apache.sshd.server.session.ServerSession
- Server session created from /127.0.0.1:59230
    Reject public key authentication for foo from /127.0.0.1:59230
{noformat}
*NOTE*: the password authenticator is never invoked - as should be expected since we did not
provide a password
{panel}

h3. good user, good password - calling _session.addPasswordIdentity(password)_ before _session.auth().verify()_
{panel:title=Client}
{noformat}
Client:
    [main] INFO org.apache.sshd.common.util.SecurityUtils - Trying to register BouncyCastle
as a JCE provider
    [main] INFO org.apache.sshd.common.util.SecurityUtils - Registration succeeded
    Found C:\Users\lgoldstein\.ssh\id_rsa
    Skip non-existing file: C:\Users\lgoldstein\.ssh\id_dsa
    Skip non-existing file: C:\Users\lgoldstein\.ssh\id_ecdsa
    Username: foo
    Password: bar
    [sshd-SshClient[4a7761b1]-nio2-thread-1] INFO org.apache.sshd.client.session.ClientSessionImpl
- Client session created
    Authenticating using password=bar ...
    [main] INFO org.apache.sshd.client.session.ClientSessionImpl - Start flagging packets
as pending until key exchange is done
    [sshd-SshClient[4a7761b1]-nio2-thread-4] INFO org.apache.sshd.client.session.ClientSessionImpl
- Server version string: SSH-2.0-SSHD-CORE-0.14.0
    [sshd-SshClient[4a7761b1]-nio2-thread-1] WARN org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier
- Server at localhost/127.0.0.1:8000 presented unverified DSA key: 2a:b8:38:3b:49:d5:e4:ce:07:dd:15:d3:82:13:72:bd
    [sshd-SshClient[4a7761b1]-nio2-thread-5] INFO org.apache.sshd.client.session.ClientSessionImpl
- Dequeing pending packets
    [sshd-SshClient[4a7761b1]-nio2-thread-1] INFO org.apache.sshd.client.session.ClientUserAuthServiceNew
- Received SSH_MSG_USERAUTH_FAILURE
    [sshd-SshClient[4a7761b1]-nio2-thread-5] INFO org.apache.sshd.client.session.ClientUserAuthServiceNew
- Received SSH_MSG_USERAUTH_FAILURE
    [sshd-SshClient[4a7761b1]-nio2-thread-4] INFO org.apache.sshd.client.auth.UserAuthKeyboardInteractive
- Received Password authentication  en-US
    [sshd-SshClient[4a7761b1]-nio2-thread-2] INFO org.apache.sshd.client.session.ClientUserAuthServiceNew
- Received SSH_MSG_USERAUTH_SUCCESS
    Authenticated
    Open shell...
    Microsoft Windows [Version 6.3.9600]
    (c) 2013 Microsoft Corporation. All rights reserved.
    
    C:\Projects\...>dir
    dir
    
    dir
     Volume in drive C is ....
     Volume Serial Number is F29B-038F
    
     Directory of ....
    
    04-Jun-15  07:52    <DIR>          .
    04-Jun-15  07:52    <DIR>          ..
    08-Apr-15  14:35             1,100 .classpath
    26-Mar-15  12:28               734 .project
    25-Mar-15  11:07    <DIR>          .settings
    08-Apr-15  14:34               489 .springBeans
    01-Jun-15  09:58               761 build.xml
    04-Jun-15  07:52               684 jochen.pem
    02-Jun-15  16:03             1,675 pom.xml
    24-Mar-15  17:07    <DIR>          src
    28-May-15  13:16    <DIR>          target
                   6 File(s)          5,443 bytes
                   5 Dir(s)  353,275,584,512 bytes free
    
    C:\Projects\...>
    C:\Projects\...>exit
    exit
    
    exit
    Closing shell...
    Closing session...{noformat}
{panel}
{panel:title=Server}
{noformat}
    [sshd-SshServer[325bb9a6]-nio2-thread-2] INFO org.apache.sshd.server.session.ServerSession
- Server session created from /127.0.0.1:50410
    Reject public key authentication for foo from /127.0.0.1:50410
    Accepted user=foo,password=bar from /127.0.0.1:50410
    [sshd-SshServer[325bb9a6]-nio2-thread-4] INFO org.apache.sshd.server.session.ServerUserAuthService
- Session foo@/127.0.0.1:50410 authenticated
    [sshd-SshServer[325bb9a6]-nio2-thread-2] INFO org.apache.sshd.server.shell.ProcessShellFactory
- Starting shell with command: '[cmd.exe ]' ...
{noformat}
{panel}

h3. Good user, bad password('1234' instead of 'bar')  - calling _session.addPasswordIdentity(password)_
before _session.auth().verify()_
{panel:title=Client}
{noformat}
[main] INFO org.apache.sshd.common.util.SecurityUtils - Trying to register BouncyCastle as
a JCE provider
    [main] INFO org.apache.sshd.common.util.SecurityUtils - Registration succeeded
    Found C:\Users\lgoldstein\.ssh\id_rsa
    Skip non-existing file: C:\Users\lgoldstein\.ssh\id_dsa
    Skip non-existing file: C:\Users\lgoldstein\.ssh\id_ecdsa
    Username: foo
    Password: 1234
    [sshd-SshClient[4a7761b1]-nio2-thread-1] INFO org.apache.sshd.client.session.ClientSessionImpl
- Client session created
    Authenticating using password=1234 ...
    [main] INFO org.apache.sshd.client.session.ClientSessionImpl - Start flagging packets
as pending until key exchange is done
    [sshd-SshClient[4a7761b1]-nio2-thread-4] INFO org.apache.sshd.client.session.ClientSessionImpl
- Server version string: SSH-2.0-SSHD-CORE-0.14.0
    [sshd-SshClient[4a7761b1]-nio2-thread-1] WARN org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier
- Server at localhost/127.0.0.1:8000 presented unverified DSA key: 2a:b8:38:3b:49:d5:e4:ce:07:dd:15:d3:82:13:72:bd
    [sshd-SshClient[4a7761b1]-nio2-thread-5] INFO org.apache.sshd.client.session.ClientSessionImpl
- Dequeing pending packets
    [sshd-SshClient[4a7761b1]-nio2-thread-1] INFO org.apache.sshd.client.session.ClientUserAuthServiceNew
- Received SSH_MSG_USERAUTH_FAILURE
    [sshd-SshClient[4a7761b1]-nio2-thread-5] INFO org.apache.sshd.client.session.ClientUserAuthServiceNew
- Received SSH_MSG_USERAUTH_FAILURE
    [sshd-SshClient[4a7761b1]-nio2-thread-4] INFO org.apache.sshd.client.auth.UserAuthKeyboardInteractive
- Received Password authentication  en-US
    [sshd-SshClient[4a7761b1]-nio2-thread-3] INFO org.apache.sshd.client.session.ClientUserAuthServiceNew
- Received SSH_MSG_USERAUTH_FAILURE
    [sshd-SshClient[4a7761b1]-nio2-thread-5] INFO org.apache.sshd.client.auth.UserAuthKeyboardInteractive
- Received Password authentication  en-US
    [sshd-SshClient[4a7761b1]-nio2-thread-1] INFO org.apache.sshd.client.auth.UserAuthKeyboardInteractive
- Received Password authentication  en-US
    [sshd-SshClient[4a7761b1]-nio2-thread-2] INFO org.apache.sshd.client.auth.UserAuthKeyboardInteractive
- Received Password authentication  en-US
    [sshd-SshClient[4a7761b1]-nio2-thread-4] INFO org.apache.sshd.client.session.ClientUserAuthServiceNew
- Received SSH_MSG_USERAUTH_FAILURE
    Closing session...
    org.apache.sshd.common.SshException: Authentication failed
        at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:44)
        at org.flowcontrol.uniselflow.web_services.ssh.SampleClient.main(SampleClient.java:101)
    Stopping...
    Stopped
{noformat}
{panel}
{panel:title=Server}
{noformat}
[sshd-SshServer[325bb9a6]-nio2-thread-4] INFO org.apache.sshd.server.session.ServerSession
- Server session created from /127.0.0.1:50150
    Reject public key authentication for foo from /127.0.0.1:50150
    Rejected user=foo,password=1234 from /127.0.0.1:50150
    Rejected user=foo,password=1234 from /127.0.0.1:50150
{noformat}
{panel}

h3. Bad user ('jochen' instead of 'foo'), good password   - calling _session.addPasswordIdentity(password)_
before _session.auth().verify()_
{panel:title=Client}
{noformat}
    [main] INFO org.apache.sshd.common.util.SecurityUtils - Trying to register BouncyCastle
as a JCE provider
    [main] INFO org.apache.sshd.common.util.SecurityUtils - Registration succeeded
    Found C:\Users\lgoldstein\.ssh\id_rsa
    Skip non-existing file: C:\Users\lgoldstein\.ssh\id_dsa
    Skip non-existing file: C:\Users\lgoldstein\.ssh\id_ecdsa
    Username: jochen
    Password: bar
    [sshd-SshClient[4a7761b1]-nio2-thread-1] INFO org.apache.sshd.client.session.ClientSessionImpl
- Client session created
    Authenticating using password=bar ...
    [main] INFO org.apache.sshd.client.session.ClientSessionImpl - Start flagging packets
as pending until key exchange is done
    [sshd-SshClient[4a7761b1]-nio2-thread-3] INFO org.apache.sshd.client.session.ClientSessionImpl
- Server version string: SSH-2.0-SSHD-CORE-0.14.0
    [sshd-SshClient[4a7761b1]-nio2-thread-4] WARN org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier
- Server at localhost/127.0.0.1:8000 presented unverified DSA key: 2a:b8:38:3b:49:d5:e4:ce:07:dd:15:d3:82:13:72:bd
    [sshd-SshClient[4a7761b1]-nio2-thread-5] INFO org.apache.sshd.client.session.ClientSessionImpl
- Dequeing pending packets
    [sshd-SshClient[4a7761b1]-nio2-thread-4] INFO org.apache.sshd.client.session.ClientUserAuthServiceNew
- Received SSH_MSG_USERAUTH_FAILURE
    [sshd-SshClient[4a7761b1]-nio2-thread-3] INFO org.apache.sshd.client.session.ClientUserAuthServiceNew
- Received SSH_MSG_USERAUTH_FAILURE
    [sshd-SshClient[4a7761b1]-nio2-thread-2] INFO org.apache.sshd.client.auth.UserAuthKeyboardInteractive
- Received Password authentication  en-US
    [sshd-SshClient[4a7761b1]-nio2-thread-4] INFO org.apache.sshd.client.session.ClientUserAuthServiceNew
- Received SSH_MSG_USERAUTH_FAILURE
    [sshd-SshClient[4a7761b1]-nio2-thread-3] INFO org.apache.sshd.client.auth.UserAuthKeyboardInteractive
- Received Password authentication  en-US
    [sshd-SshClient[4a7761b1]-nio2-thread-1] INFO org.apache.sshd.client.auth.UserAuthKeyboardInteractive
- Received Password authentication  en-US
    [sshd-SshClient[4a7761b1]-nio2-thread-5] INFO org.apache.sshd.client.auth.UserAuthKeyboardInteractive
- Received Password authentication  en-US
    [sshd-SshClient[4a7761b1]-nio2-thread-2] INFO org.apache.sshd.client.session.ClientUserAuthServiceNew
- Received SSH_MSG_USERAUTH_FAILURE
    Closing session...
    org.apache.sshd.common.SshException: Authentication failed
        at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:44)
        at org.flowcontrol.uniselflow.web_services.ssh.SampleClient.main(SampleClient.java:101)
    Stopping...
    Stopped
{noformat}
{panel}
{panel:title=Server}
{noformat}
    [sshd-SshServer[325bb9a6]-nio2-thread-3] INFO org.apache.sshd.server.session.ServerSession
- Server session created from /127.0.0.1:50292
    Reject public key authentication for jochen from /127.0.0.1:50292
    Rejected user=jochen,password=bar from /127.0.0.1:50292
    Rejected user=jochen,password=bar from /127.0.0.1:50292
{noformat}
{panel}

h3. bad user ('jochen' instead of 'foo'), bad password ('1234' instead of 'bar')  - calling
_session.addPasswordIdentity(password)_ before _session.auth().verify()_
{panel:title=Client}
{noformat}
    [main] INFO org.apache.sshd.common.util.SecurityUtils - Trying to register BouncyCastle
as a JCE provider
    [main] INFO org.apache.sshd.common.util.SecurityUtils - Registration succeeded
    Found C:\Users\lgoldstein\.ssh\id_rsa
    Skip non-existing file: C:\Users\lgoldstein\.ssh\id_dsa
    Skip non-existing file: C:\Users\lgoldstein\.ssh\id_ecdsa
    Username: jochen
    Password: 1234
    [sshd-SshClient[4a7761b1]-nio2-thread-1] INFO org.apache.sshd.client.session.ClientSessionImpl
- Client session created
    Authenticating using password=1234 ...
    [main] INFO org.apache.sshd.client.session.ClientSessionImpl - Start flagging packets
as pending until key exchange is done
    [sshd-SshClient[4a7761b1]-nio2-thread-4] INFO org.apache.sshd.client.session.ClientSessionImpl
- Server version string: SSH-2.0-SSHD-CORE-0.14.0
    [sshd-SshClient[4a7761b1]-nio2-thread-1] WARN org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier
- Server at localhost/127.0.0.1:8000 presented unverified DSA key: 2a:b8:38:3b:49:d5:e4:ce:07:dd:15:d3:82:13:72:bd
    [sshd-SshClient[4a7761b1]-nio2-thread-5] INFO org.apache.sshd.client.session.ClientSessionImpl
- Dequeing pending packets
    [sshd-SshClient[4a7761b1]-nio2-thread-1] INFO org.apache.sshd.client.session.ClientUserAuthServiceNew
- Received SSH_MSG_USERAUTH_FAILURE
    [sshd-SshClient[4a7761b1]-nio2-thread-5] INFO org.apache.sshd.client.session.ClientUserAuthServiceNew
- Received SSH_MSG_USERAUTH_FAILURE
    [sshd-SshClient[4a7761b1]-nio2-thread-4] INFO org.apache.sshd.client.auth.UserAuthKeyboardInteractive
- Received Password authentication  en-US
    [sshd-SshClient[4a7761b1]-nio2-thread-3] INFO org.apache.sshd.client.session.ClientUserAuthServiceNew
- Received SSH_MSG_USERAUTH_FAILURE
    [sshd-SshClient[4a7761b1]-nio2-thread-5] INFO org.apache.sshd.client.auth.UserAuthKeyboardInteractive
- Received Password authentication  en-US
    [sshd-SshClient[4a7761b1]-nio2-thread-1] INFO org.apache.sshd.client.auth.UserAuthKeyboardInteractive
- Received Password authentication  en-US
    [sshd-SshClient[4a7761b1]-nio2-thread-2] INFO org.apache.sshd.client.auth.UserAuthKeyboardInteractive
- Received Password authentication  en-US
    [sshd-SshClient[4a7761b1]-nio2-thread-4] INFO org.apache.sshd.client.session.ClientUserAuthServiceNew
- Received SSH_MSG_USERAUTH_FAILURE
    Closing session...
    org.apache.sshd.common.SshException: Authentication failed
        at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:44)
        at org.flowcontrol.uniselflow.web_services.ssh.SampleClient.main(SampleClient.java:101)
    Stopping...
    Stopped
{noformat}
{panel}
{panel:title=Server}
{noformat}
    [sshd-SshServer[325bb9a6]-nio2-thread-5] INFO org.apache.sshd.server.session.ServerSession
- Server session created from /127.0.0.1:50628
    Reject public key authentication for jochen from /127.0.0.1:50628
    Rejected user=jochen,password=1234 from /127.0.0.1:50628
    Rejected user=jochen,password=1234 from /127.0.0.1:50628
{noformat}
{panel}

> PasswordAuthentifikation
> ------------------------
>
>                 Key: SSHD-473
>                 URL: https://issues.apache.org/jira/browse/SSHD-473
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 0.14.0
>         Environment: Windows 7, Java 8, Eclipse JUNO
>            Reporter: Jochen Seliger
>            Priority: Critical
>         Attachments: SSHDPasswordAuthenticator.java, SSH_SERVER.java
>
>
> I run the sshd and the ssh client both on the windos mashine.
> The sshd I start on port 8000 and with password authentificator ans an own atthenicator
class, which shall shoe a messagebox when envoced.
> The client I start aftercreating it as SshClient.setUpDefaultClient(); without stting
any factury with the statement ClientSession session = client.connect("Jochen","192.168.100.13",8000).await().getSession();
(Jochen is an existing user on the mashine).
> But till shellChannel I can proceed only when setting after session creation session.addPasswordIdentity("Jochen");
(it is tha same user as provided at session creation)
> There is no functionality to set the password.
> The method authPassword is depreciated.
> 1. My first question: How to proceed th use PasswordAuthentification?
> As stated I can proceesd til ssh-Shell, but the server is logging at a first run an autentification
failure and at a second run authentification success:
> Mai 22, 2015 12:14:21 PM org.apache.sshd.client.session.ClientSessionImpl readIdentification
> INFORMATION: Server version string: SSH-2.0-SSHD-CORE-0.14.0
> Mai 22, 2015 12:14:22 PM org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier
verifyServerKey
> WARNUNG: Server at /192.168.100.13:8000 presented unverified DSA key: e4:76:f3:c2:15:64:7f:e4:5f:b7:86:35:a5:3e:85:35
> Mai 22, 2015 12:14:22 PM org.apache.sshd.common.session.AbstractSession doHandleMessage
> INFORMATION: Dequeing pending packets
> Mai 22, 2015 12:14:22 PM org.apache.sshd.client.session.ClientUserAuthServiceNew processUserAuth
> INFORMATION: Received SSH_MSG_USERAUTH_FAILURE
> Mai 22, 2015 12:14:22 PM org.apache.sshd.client.auth.UserAuthKeyboardInteractive process
> INFORMATION: Received Password authentication  en-US
> Mai 22, 2015 12:14:22 PM org.apache.sshd.client.session.ClientUserAuthServiceNew processUserAuth
> INFORMATION: Received SSH_MSG_USERAUTH_SUCCESS
> ShellChannell opened
> Microsoft Windows [Version 6.0.6001]
> Copyright (c) 2006 Microsoft Corporation. Alle Rechte vorbehalten.
> C:\Users\Jochen\workspace\USF_SSH_WS>
> allthoug I did not provide an password.
> 2. Why thes two runs are processed?
> 3. Why the first run fails and the second one succedes?
> 4. How to proceede to get a functioning password and keypair authentication?
> Regards
> Jochen Seliger



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message