Details

    • Type: New Feature New Feature
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.4.0
    • Labels:
      None

      Description

      See http://www.unixwiz.net/techtips/ssh-agent-forwarding.html and http://www.securityfocus.com/infocus/1812

      To be compatible with openssh ssh client, we'd have to use Unix Domain Sockets which require JNI.
      It could be done using tomcat-apr Local class, or importing the needed bits into our own native library.

      We could also have two different implementations, one using a local tcp socket and another using unix sockets.

      1. SSHD-8.patch
        15 kB
        Guillaume Nodet

        Issue Links

          Activity

          Hide
          Guillaume Nodet added a comment -

          Work in progress for using tomcat-apr local sockets.

          Show
          Guillaume Nodet added a comment - Work in progress for using tomcat-apr local sockets.
          Hide
          Guillaume Nodet added a comment -

          Sending sshd-core/src/main/java/org/apache/sshd/ClientChannel.java
          Sending sshd-core/src/main/java/org/apache/sshd/ClientSession.java
          Adding sshd-core/src/main/java/org/apache/sshd/SshAgent.java
          Sending sshd-core/src/main/java/org/apache/sshd/SshClient.java
          Adding sshd-core/src/main/java/org/apache/sshd/agent
          Adding sshd-core/src/main/java/org/apache/sshd/agent/AgentClient.java
          Adding sshd-core/src/main/java/org/apache/sshd/agent/AgentLocal.java
          Adding sshd-core/src/main/java/org/apache/sshd/agent/AgentServer.java
          Adding sshd-core/src/main/java/org/apache/sshd/client/auth/UserAuthAgent.java
          Sending sshd-core/src/main/java/org/apache/sshd/client/auth/UserAuthPublicKey.java
          Sending sshd-core/src/main/java/org/apache/sshd/client/channel/AbstractClientChannel.java
          Adding sshd-core/src/main/java/org/apache/sshd/client/channel/ChannelAgentForwarding.java
          Sending sshd-core/src/main/java/org/apache/sshd/client/channel/ChannelShell.java
          Sending sshd-core/src/main/java/org/apache/sshd/client/kex/AbstractDHGClient.java
          Sending sshd-core/src/main/java/org/apache/sshd/client/session/ClientSessionImpl.java
          Sending sshd-core/src/main/java/org/apache/sshd/common/channel/AbstractChannel.java
          Sending sshd-core/src/main/java/org/apache/sshd/common/util/Buffer.java
          Sending sshd-core/src/main/java/org/apache/sshd/server/auth/UserAuthPublicKey.java
          Sending sshd-core/src/main/java/org/apache/sshd/server/channel/ChannelSession.java
          Sending sshd-core/src/main/java/org/apache/sshd/server/kex/AbstractDHGServer.java
          Adding sshd-core/src/main/java/org/apache/sshd/server/session/AgentForwardSupport.java
          Sending sshd-core/src/main/java/org/apache/sshd/server/session/ServerSession.java
          Adding sshd-core/src/test/java/org/apache/sshd/AgentTest.java
          Transmitting file data ......................
          Committed revision 889300.

          Show
          Guillaume Nodet added a comment - Sending sshd-core/src/main/java/org/apache/sshd/ClientChannel.java Sending sshd-core/src/main/java/org/apache/sshd/ClientSession.java Adding sshd-core/src/main/java/org/apache/sshd/SshAgent.java Sending sshd-core/src/main/java/org/apache/sshd/SshClient.java Adding sshd-core/src/main/java/org/apache/sshd/agent Adding sshd-core/src/main/java/org/apache/sshd/agent/AgentClient.java Adding sshd-core/src/main/java/org/apache/sshd/agent/AgentLocal.java Adding sshd-core/src/main/java/org/apache/sshd/agent/AgentServer.java Adding sshd-core/src/main/java/org/apache/sshd/client/auth/UserAuthAgent.java Sending sshd-core/src/main/java/org/apache/sshd/client/auth/UserAuthPublicKey.java Sending sshd-core/src/main/java/org/apache/sshd/client/channel/AbstractClientChannel.java Adding sshd-core/src/main/java/org/apache/sshd/client/channel/ChannelAgentForwarding.java Sending sshd-core/src/main/java/org/apache/sshd/client/channel/ChannelShell.java Sending sshd-core/src/main/java/org/apache/sshd/client/kex/AbstractDHGClient.java Sending sshd-core/src/main/java/org/apache/sshd/client/session/ClientSessionImpl.java Sending sshd-core/src/main/java/org/apache/sshd/common/channel/AbstractChannel.java Sending sshd-core/src/main/java/org/apache/sshd/common/util/Buffer.java Sending sshd-core/src/main/java/org/apache/sshd/server/auth/UserAuthPublicKey.java Sending sshd-core/src/main/java/org/apache/sshd/server/channel/ChannelSession.java Sending sshd-core/src/main/java/org/apache/sshd/server/kex/AbstractDHGServer.java Adding sshd-core/src/main/java/org/apache/sshd/server/session/AgentForwardSupport.java Sending sshd-core/src/main/java/org/apache/sshd/server/session/ServerSession.java Adding sshd-core/src/test/java/org/apache/sshd/AgentTest.java Transmitting file data ...................... Committed revision 889300.
          Hide
          Guillaume Nodet added a comment -

          Note that the current ssh agent is quite unsecure because it uses a plain tcp/ip socket, even if bound only to localhost, any other process could access the private keys. We should try to use unix sockets using apr or vm transport.

          Show
          Guillaume Nodet added a comment - Note that the current ssh agent is quite unsecure because it uses a plain tcp/ip socket, even if bound only to localhost, any other process could access the private keys. We should try to use unix sockets using apr or vm transport.
          Hide
          Guillaume Nodet added a comment -

          svn commit -m "SSHD-8: agent forwarding
          >
          > The main change in this commit is the switch from mina as the transport mechanism to plain tomcat/apr sockets mostly because the mina apr transport does not support the unix domain sockets. This allow to interact with the openssh agent on unix platforms, and this also secure the agent correctly."

          Sending trunk/pom.xml
          Sending trunk/sshd-core/pom.xml
          Deleting trunk/sshd-core/src/main/java/org/apache/sshd/SshAgent.java
          Sending trunk/sshd-core/src/main/java/org/apache/sshd/SshClient.java
          Sending trunk/sshd-core/src/main/java/org/apache/sshd/agent/AgentClient.java
          Adding trunk/sshd-core/src/main/java/org/apache/sshd/agent/AgentForwardSupport.java
          Sending trunk/sshd-core/src/main/java/org/apache/sshd/agent/AgentLocal.java
          Sending trunk/sshd-core/src/main/java/org/apache/sshd/agent/AgentServer.java
          Adding trunk/sshd-core/src/main/java/org/apache/sshd/agent/AprLibrary.java
          Adding trunk/sshd-core/src/main/java/org/apache/sshd/agent/ChannelAgentForwarding.java
          Adding trunk/sshd-core/src/main/java/org/apache/sshd/agent/SshAgent.java
          Sending trunk/sshd-core/src/main/java/org/apache/sshd/client/auth/UserAuthAgent.java
          Deleting trunk/sshd-core/src/main/java/org/apache/sshd/client/channel/ChannelAgentForwarding.java
          Sending trunk/sshd-core/src/main/java/org/apache/sshd/server/ForwardingFilter.java
          Sending trunk/sshd-core/src/main/java/org/apache/sshd/server/channel/ChannelSession.java
          Sending trunk/sshd-core/src/main/java/org/apache/sshd/server/command/ScpCommand.java
          Deleting trunk/sshd-core/src/main/java/org/apache/sshd/server/session/AgentForwardSupport.java
          Sending trunk/sshd-core/src/main/java/org/apache/sshd/server/session/ServerSession.java
          Sending trunk/sshd-core/src/test/java/org/apache/sshd/AgentTest.java
          Transmitting file data ................
          Committed revision 891692.

          Show
          Guillaume Nodet added a comment - svn commit -m " SSHD-8 : agent forwarding > > The main change in this commit is the switch from mina as the transport mechanism to plain tomcat/apr sockets mostly because the mina apr transport does not support the unix domain sockets. This allow to interact with the openssh agent on unix platforms, and this also secure the agent correctly." Sending trunk/pom.xml Sending trunk/sshd-core/pom.xml Deleting trunk/sshd-core/src/main/java/org/apache/sshd/SshAgent.java Sending trunk/sshd-core/src/main/java/org/apache/sshd/SshClient.java Sending trunk/sshd-core/src/main/java/org/apache/sshd/agent/AgentClient.java Adding trunk/sshd-core/src/main/java/org/apache/sshd/agent/AgentForwardSupport.java Sending trunk/sshd-core/src/main/java/org/apache/sshd/agent/AgentLocal.java Sending trunk/sshd-core/src/main/java/org/apache/sshd/agent/AgentServer.java Adding trunk/sshd-core/src/main/java/org/apache/sshd/agent/AprLibrary.java Adding trunk/sshd-core/src/main/java/org/apache/sshd/agent/ChannelAgentForwarding.java Adding trunk/sshd-core/src/main/java/org/apache/sshd/agent/SshAgent.java Sending trunk/sshd-core/src/main/java/org/apache/sshd/client/auth/UserAuthAgent.java Deleting trunk/sshd-core/src/main/java/org/apache/sshd/client/channel/ChannelAgentForwarding.java Sending trunk/sshd-core/src/main/java/org/apache/sshd/server/ForwardingFilter.java Sending trunk/sshd-core/src/main/java/org/apache/sshd/server/channel/ChannelSession.java Sending trunk/sshd-core/src/main/java/org/apache/sshd/server/command/ScpCommand.java Deleting trunk/sshd-core/src/main/java/org/apache/sshd/server/session/AgentForwardSupport.java Sending trunk/sshd-core/src/main/java/org/apache/sshd/server/session/ServerSession.java Sending trunk/sshd-core/src/test/java/org/apache/sshd/AgentTest.java Transmitting file data ................ Committed revision 891692.

            People

            • Assignee:
              Guillaume Nodet
              Reporter:
              Guillaume Nodet
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development