test #246
Closed
test #246
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ssing a file/folder via SFTP
…lback to DH group exchange using SHA-1 if no suitable primes found for SHA-256
SftpInputStreamAsync.transferTo must not have the @OverRide annotation; it's an override only from JAva 11 on.
If the server had announced via server-sig-algs which signature algorithms it supports, UserAuthPubKey tries the known algorithms first. If authentication with such a known signature algorithm fails, there is no point trying other algorithms. Trying different signature algorithms may make sense only if the client doesn't know which algorithms the server supports.
…esProvider#loadIdentities
…eflect the use of a property to govern fallback mode
Install a DefaultClientKexExtensionHandler by default.
When the peer closes the channel, just reply with a CLOSE message. Do not send an EOF before the CLOSE. See RFC 4254, section 5.3.[1] [1] https://tools.ietf.org/html/rfc4254#section-5.3
…Utils#resolveDefaultClass in SecurityProviderRegistrars (apache#189) Signed-off-by: Grzegorz Grzybek <gr.grzybek@gmail.com>
Rename the method to getCertPubKey() in preparation of using the class also for client certificate pubkey login.
Drop the restriction to host keys only in OpenSshCertificate. Add comparison of OpenSshCertificate taking into account the public key of the certificates, their serial number, and their signatures. Add a signature algorithm map to be able to choose the correct signature algorithm name during pubkey authentication. Also-by: Alex Sherwin <alex-sherwin@users.noreply.github.com>
Add a unit test exercising authentication with all supported *-cert key types against a real OpenSSH server run in a docker container. The OpenSSH server runs in an Alpine container and is primed with two host keys, selectable via an environment variable, and two users. It supports pubkey and password authentication. The test case uses org.testcontainers to build a cached docker image and to run and teardown the docker container instance. The test uses the Apache MINA sshd client using client certificate keys to authenticate at the OpenSSH server in the docker container. The test is not run with the mina and netty back-ends; testcontainers has problems resolving files when run from the re-usable test JAR. It also isn't run on Windows; GitHub actions Windows Server VM's don't have Docker (Linux) support. Also note that the test makes sure that the real BouncyCastle security provider is installed; testcontainers contains a shaded BC copy that may fail at runtime due to being unsigned.
Running a "mvn clean install" from the source tar archive failed for some container tests because unpacking the tar might not preserve executable bits. Testcontainers need an entrypoint that is executable, or otherwise the entrypoint script must not be run directly but via a shell explicitly. Rewrite the two problematic tests to ensure the entrypoint script is always executable, irrespective of whether the test resource has the bit set.
… Java versions > 8
If there's an exception in Nio2Connector after the session was set on the DefaultIoConnectFuture, a program might just hang on that session until the next read or write attempt, or until a timeout expired. This was caused by closing the underlying connection, but not properly closing the already existing session, and because the session was already set on the future, setting the exception had no effect anymore. Fix this by immediately closing the Nio2Session properly in that case.
Make sure that a thread does not try to acquire the write lock if it already holds the read lock. This could happen if a write is not enqueued and there is an exception during writing, and we then try to close the session on the same thread. The read/write lock is used for three purposes: first, it gives the flushing thread trying to empty the queue of pending packets priority over other threads trying to enqueue more packets, and second, it is held during writeOrEnqueue() while writing a packet directly to prevent that the KEX state changes between being checked and the write being done, and third, to prevent that the KEX state changes asynchronously while the flushing thread is checking it. The read/write lock itself does not serve to ensure mutual exclusion on the KEX state itself. These three functions can also be fulfilled if update() is executed when only the read lock is held. If a thread in update() holds the read lock, this can only occur if it wrote the buffer directly in writeOrEnqueue(), in which case it is fine to proceed, and the flushing thread for sure is not in its critical region where it holds the write lock. Otherwise, any other thread either is the flushing thread and holds the write lock already, or it's a thread not holding the lock at all. In both cases it is fine to acquire the write lock.
If data is appended while a file is read via SFTP, SftpInputStreamAsync would enter an infinite loop if requestOffset >= fileSize + bufferSize. Fix this and issue only sequential read requests once we detect that we're beyond the expected EOF.
More precise logging in onWritten() to distinguish the cases better.
Ensure that the IoProcessor pool is disposed, otherwise a selector may not get closed, leading to a file handle leak.
Author
|
test |
Author
|
ssssss |
Author
|
comment |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
19 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.