mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Goldstein Lyor (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (SSHD-850) Add capability to retry a failed private key decryption when client is decrypting private key file(s)
Date Wed, 17 Oct 2018 11:55:00 GMT

    [ https://issues.apache.org/jira/browse/SSHD-850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16653416#comment-16653416
] 

Goldstein Lyor edited comment on SSHD-850 at 10/17/18 11:54 AM:
----------------------------------------------------------------

* {quote}
I know the two are different, and one (keyboard-interactive auth) is handled fine by sshd.
The other (passphrases for encrypted private keys) isn't.
{quote}
Then let's focus only on that - I am changing this issue to an appropriate feature request.

I don't doubt that the functionality you describe is useful - however due to lack of time/resources
I doubt very much we will get to it (unless it becomes popular). That being said, I do believe
implementing your own {{KeyPairProvider}} can be done much easier than you have described.

* {quote}
 It even looks I'd have to implement a whole separate hierarchy of KeyPairResourceParser
{quote}
I don't think it is necessary at all - the existing functionality can easily be encapsulated/extended.

* {quote}
 It also looks to me that I'd need a stateful FilePasswordProvider that remembers if it had
been called at all for the key so that I can query it – if it hasn't even been called by
the key parser, the key wasn't encrypted (or had a problem before we even got to decrypting
it) and re-trying would be futile. 
{quote}
Indeed - hence the need to develop such a solution. However, the situation is not as dire
as it may seem - the {{FilePasswordProvider}} interface is invoked with a "hint" (a.k.a. {{resourceKey}})
that tells you which resource is being decoded.

If you are interested in pursuing this issue (and I encourage you to do so), please implement
it in the _sshd-contrib_ artifact and publish a PR for it - we will be more than happy to
incorporate into the project.


was (Author: lgoldstein):
* {quote}
I know the two are different, and one (keyboard-interactive auth) is handled fine by sshd.
The other (passphrases for encrypted private keys) isn't.
{quote}
Then let's focus only on that - I am changing this issue to an appropriate feature request.

I don't doubt that the functionality you describe is useful - however due to lack of time/resources
I doubt very much we will get to it (unless it becomes popular). That being said, I do believe
implementing your own {{KeyPairProvider}} can be done much easier than you have described.
* {quote}
 It even looks I'd have to implement a whole separate hierarchy of KeyPairResourceParser
{quote}
I don't think it is necessary at all - the existing functionality can easily be encapsulated/extended.

* {quote}
 It also looks to me that I'd need a stateful FilePasswordProvider that remembers if it had
been called at all for the key so that I can query it – if it hasn't even been called by
the key parser, the key wasn't encrypted (or had a problem before we even got to decrypting
it) and re-trying would be futile. 
{quoted}
Indeed - hence the need to develop such a solution. However, the situation is not as dire
as it may seem - the {{FilePasswordProvider}} interface is invoked with a "hint" (a.k.a. {{resourceKey}})
that tells you which resource is being decoded.

If you are interested in pursuing this issue (and I encourage you to do so), please implement
it in the _sshd-contrib_ artifact and publish a PR for it - we will be more than happy to
incorporate into the project.

> Add capability to retry a failed private key decryption when client is decrypting private
key file(s)
> -----------------------------------------------------------------------------------------------------
>
>                 Key: SSHD-850
>                 URL: https://issues.apache.org/jira/browse/SSHD-850
>             Project: MINA SSHD
>          Issue Type: New Feature
>    Affects Versions: 2.0.0, 2.1.0
>            Reporter: Thomas Wolf
>            Priority: Minor
>
> In openssh, the ssh config entry NumberOfPasswordPrompts controls the number of times
the ssh client keeps asking for a password if the one entered was invalid in two cases:
>  # keyboard-interactive authentication, and
>  # asking for passwords for encrypted private keys in identity files in pubkey authentication
(see [openssh sources; sshconnect2.c|https://github.com/openssh/openssh-portable/blob/1a4a9cf/sshconnect2.c#L1380]).
> sshd-core only has support for (1) through setting the property {{ClientAuthenticationManager.PASSWORD_PROMPTS}}
in the session's properties.
> There doesn't seem to be any support for FilePasswordProvider to make it respect this
value.
> {{AbstractPEMResourceKeyPairParser.extractkeyPairs()}} and also {{BouncyCastleKeyPairResourceParser.loadKeyPair()}}
call {{FilePasswordProvider.getPassword()}} exactly once.
> So how can I write a ssh client using sshd that asks the user NumberOfPasswordPrompts
times? Either I'm missing something, or there is some support for this missing in sshd.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message