[SSHD-1063] KnownHostsServerKeyVerifier fail with alternative ports (non 22/TCP) - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.5.1
Fix Version/s: 2.6.0
Labels:
None

Description

First connection, to port 22, create entry in known_hosts (this is OK).

2020-08-21 18:09:56.249 [connection:host-1-p22-1] [INFO] SSHClient - Connecting to: test-sshd@192.168.7.5:22
2020-08-21 18:09:56.489 [connection:host-1-p22-1] [INFO] SSHClient - Session established: test-sshd@192.168.7.5:22

After disconnect, a second connection, but to port 2020, same IP but another port (responded by another ssh-service), connection fails (detect changed key, this is bad).

2020-08-21 18:10:02.174 [connection:host-1-p2020-1] [INFO] SSHClient - Connecting to: test-sshd@192.168.7.5:2020
2020-08-21 18:10:02.529 [sshd-SshClient[47d4d899]-nio2-thread-9] [WARN] ClientSessionImpl - exceptionCaught(ClientSessionImpl[test-sshd@hostname/192.168.7.5:2020])[state=Opened] SshException: Server key did not validate
2020-08-21 18:10:02.529 [sshd-SshClient[47d4d899]-nio2-thread-9] [INFO] ClientSessionImpl - Disconnecting(ClientSessionImpl[test-sshd@hostname/192.168.7.5:2020]): SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE - Server key did not validate
2020-08-21 18:10:02.529 [sshd-SshClient[47d4d899]-nio2-thread-9] [WARN] ClientSessionImpl - disconnect(ClientSessionImpl[test-sshd@hostname/192.168.7.5:2020]) operation failed (ClosedChannelException) for reason=SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE [Server key did not validate]: null
2020-08-21 18:10:02.529 [connection:host-1-p2020-1] [ERROR] SSHClient - IOException: org.apache.sshd.common.SshException: Server key did not validate

If the first connection is to port 2020, and second is to port 22, two entries are created in known_hosts and all works fine.

To reproduce, with this snippet of code:

final File knownHost = new File("/tmp/known_hosts");
knownHost.delete();
knownHost.createNewFile();
KnownHostsServerKeyVerifier hostVerifier = new KnownHostsServerKeyVerifier(((sshClientSession, remoteAddress, serverKey) -> true), knownHost.toPath()); // Accept unknown
hostVerifier.setModifiedServerKeyAcceptor((clientSession, remoteAddress, entry, expected, actual) -> false); // Reject modified
SshClient client = SshClient.setUpDefaultClient();
client.setServerKeyVerifier(hostVerifier);
client.start();
// ...etc...

Connect to server A, port 22.
Connect to server A, port 2020 (for test, I'm using rinetd redirecting 2020 in server A to server B in port 22).

My intuition tells me that the solution (or maybe workaround) could be this little change:

// class: org.apache.sshd.client.config.hosts.KnownHostHashValue
    public static <A extends Appendable> A appendHostPattern(A sb, String host, int port) throws IOException {
-        boolean nonDefaultPort = (port > 0) && (port != SshConstants.DEFAULT_PORT);
+        boolean nonDefaultPort = true;

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

debug-2020.log
26/Aug/20 20:14
21 kB
Guillermo Grandes
debug-22.log
26/Aug/20 20:14
23 kB
Guillermo Grandes
known-2020
26/Aug/20 20:14
0.2 kB
Guillermo Grandes
known-22
26/Aug/20 20:14
0.2 kB
Guillermo Grandes
test2-debug-2020.log
26/Aug/20 20:22
24 kB
Guillermo Grandes
test2-debug-22.log
26/Aug/20 20:22
23 kB
Guillermo Grandes
test2-known-2020
26/Aug/20 20:22
0.1 kB
Guillermo Grandes
test2-known-22
26/Aug/20 20:22
0.3 kB
Guillermo Grandes

Issue Links

links to

sshd(8)

Activity

People

Assignee:: Lyor Goldstein

Reporter:: Guillermo Grandes

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 21/Aug/20 17:47

Updated:: 28/Aug/20 07:49

Resolved:: 28/Aug/20 07:49

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

0.5h