Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
0.14.0
-
None
Description
Given a client that incorrectly tries to connect to Mina SSHD using HTTP (such as a Git client using an incorrect remote URL), Mina SSHD is much less strict than OpenSSH.
OpenSSH immediately closes the connection:
$ curl -v http://127.0.0.1:4722/ * Hostname was NOT found in DNS cache * Trying 127.0.0.1... * Connected to 127.0.0.1 (127.0.0.1) port 4722 (#0) > GET / HTTP/1.1 > User-Agent: curl/7.37.1 > Host: 127.0.0.1:4722 > Accept: */* > SSH-2.0-OpenSSH_6.6.1 Protocol mismatch. * Connection #0 to host 127.0.0.1 left intact $
Mina SSHD (master) waits for further input, and the connection is only closed when the auth timeout is reached (2 minutes currently):
$ curl -v http://127.0.0.1:51328/ * Hostname was NOT found in DNS cache * Trying 127.0.0.1... * Connected to 127.0.0.1 (127.0.0.1) port 51328 (#0) > GET / HTTP/1.1 > User-Agent: curl/7.37.1 > Host: 127.0.0.1:51328 > Accept: */* > SSH-2.0-SSHD-CORE-0.13.1-SNAPSHOT
(In 0.9, there was also a bug that caused the auth timeout to never be triggered, but that seems to have been fixed in 0.10 due to the work on SSHD-282.)
The code for this is in AbstractSession#doReadIdentification. I'm not sure if it should be as strict as OpenSSH (which only looks at the first line), but maybe it would be worth to make this configurable.
A workaround is possible by providing a custom SessionFactory and ServerSession and overriding doReadIdentification.
For background, see this Stash issue: https://jira.atlassian.com/browse/STASH-5480