Allow for the use of HTTP or SOCKS proxies

[Ingo13F]

Description

I am using MINA SSHD as part of Spring Integration 6.0.1 since it replaced the JSch SSH implementation there.
However, I was using an HTTP proxy to connect with JSch and this seems to be no longer possible with MINA because it supports only SSH jump hosts as a proxy.

So my request would be to implement a more flexible approach to proxies and also allow for the use of HTTP and SOCKS proxies.,

Motivation

This feature is needed to make it possible to use MINA SSHD and the frameworks that depend on it in environments where the server being accessed can only be reached via an HTTP/SOCKS proxy.

Especially In scenarios where MINA SSHD is used for transferring data via SFTP this seems not to be a far-fetched scenario.

Alternatives considered

An alternative would be to install a jump host with internet access. However, in larger organizations this might not always be possible, or take a long time to make it through all the corporate red tape.

Additional context

No response

[tomaswolf]

It is possible to connect via HTTP or SOCKS proxies with Apache MINA sshd. But the library does not provide this feature out of the box; users have to write their own code.

See SSHD-1008.

Also related: SSHD-751

[Ingo13F]

If I see this correctly this would be accomplished by subclassing SshClient and overwriting the connect method as well as implementing the ProxyConnectors.
In my opinion, this is not code that the user of a library should write. Especially subclassing the client implementation to change its behavior doesn't sound right to me.

[tomaswolf]

I was just describing the current state. It is a valid feature request. Though perhaps not "allowing" it, since that is already the case, but providing built-in connectors for HTTP or SOCKS proxies, and wiring them up in SshClient (including some proxy selector abstraction; the single JVM-wide ProxySelector may not cut it for all use cases). Just needs someone who has the time to do this right, including tests. Perhaps the way it was done in JGit can serve as a starting point.

[Ingo13F]

Ah, yes sure. That's more of a wording issue then. I concur: The code from jGit for proxy handling should somehow make its way into MINA SSHD and all is good.

[artembilan]

Hi here!

Any chances to have some sample how to configure SshClient for SOCKS forwarding and how to use that feature respectively ?

BTW, it looks like you don't need sshd-spring-sftp module any more since Spring Integration SFTP support is fully now based on Apache MINA: https://github.com/spring-projects/spring-integration/wiki/Spring-Integration-5.x-to-6.0-Migration-Guide#migrate-sftp-module-from-jsch-to-apache-mina.

We won't mind any contribution back though if we miss something in our org.springframework.integration.sftp.session.DefaultSftpSessionFactory implementation or though.

Thank you!

[Ingo13F]

Hi here!

Any chances to have some sample how to configure SshClient for SOCKS forwarding and how to use that feature respectively ?

Hello Artem,
I'm not sure if I get this right. For MINA SshClient there is no support for SOCKS proxies, only for SSH jump hosts. This is precisely what this feature request is about.

[artembilan]

Hm, but this sample does something on the matter, although it is not clear how to leverage that for our SftpClient usage then:

	sftpClient =
						SftpClientFactory.instance()
								.createSftpClient(initClientSession(), this.sftpVersionSelector);
...
		ClientSession clientSession =
				this.sshClient.connect(config)
						.verify(verifyTimeout)
						.getSession();

[Ingo13F]

Ah, yes as @tomaswolf already pointed out you could write your own code to handle a SOCKS proxy outside of MINA.
He suggested an approach which they used in jGit and which obviously works: In https://git.eclipse.org/r/plugins/gitiles/jgit/jgit/+/master/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitSshClient.java you can see that they subclass the MINA SshClient, override the "connect" method and "smuggle" the proxy in there.

As for the example you posted I'm not sure what to make out of it. I can see a SOCKS proxy is created and is used to read from a java.net.HttpURLConnection. But I don't see how this proxy is used with MINA. But maybe I missed it the code is a bit, uuhmm....hard on the eyes

[david0]

I have had the same struggles and managed to get JGitSshClient working. Here is an minimal example that puts everything together: https://github.com/david0/mina-ssh-over-socks/blob/main/src/main/java/Main.java#L22

I would prefer if MINA would come with SOCKS support build-in, since recent JGIt >=6.0 needs Java 11 minimum.

[gurka]

Hi @david0 , sorry to ping you here, but I just wanted to ask if you (or anyone else here) know if public key identities has to be added in another way after switching to JGitSshClient? It successfully connects via SOCKS, but during authentication it says that no public keys are available. What is also strange is that it tries to use the DefaultClientIdentityLoader even though I have set a custom one.

This all worked OK before I added JGitSshClient. I guess this is related to this comment in JGitSshClient.java

It creates specialized JGitClientSessions that know about the HostConfigEntry they were created for, and it loads all KeyPair identities lazily.

Edit: I replaced sshClient.addPublicKeyIdentity(keyPair); with sshClient.setKeyIdentityProvider((KeyPairProvider) session -> List.of(keyPair));, and now it works

[tomaswolf]

after switching to JGitSshClient?

Huh? If you are talking about the internal client that used inside JGit's binding to Apache MINA sshd, then please note:

1. This is an internal class in JGit. It is not intended for general-purpose use.
2. It is tailored to the use case of JGit.
3. JGit creates a new client for each SSH connection/session. (git push, fetch, clone, ls-remote) The client is not intended to be re-used across several sessions. (Except proxyjumping.) Maybe it works, but more likely not since we (the JGit team) never tested that since it's not our use case.
4. The client is configured specially via JGit's SshdSessionFactory.
5. If that client is used outside of JGit and fails, neither the JGit maintainers nor the Apache MINA sshd maintainers can provide any support.

[gurka]

I was just testing the sample code provided by david0

[vigneshcan111]

Team,
Is there any update on this?