Uploaded image for project: 'Maven Wagon'
  1. Maven Wagon
  2. WAGON-564

SSH connection failure because 'preferredAuthentications' option is ignored if password isn't set

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.3.3
    • Fix Version/s: 3.3.4
    • Component/s: wagon-ssh
    • Labels:
      None

      Description

      I am trying to upload a file via SSH with private key authentication, using the wagon-maven-plugin plugin. The Linux server that is also integrated with Kerberos (which I don't use).

      Although I provide a valid privateKey, and I set <preferredAuthentications>publickey</preferredAuthentications>, the Kerberos authentication is always triggered.

      While investigating, I have found the following root cause:

      In settings.xml, for a <server> you can decide to use SSH key based authentication instead of username/password:

      <server>
         <id>myserver</id>
         <username>bamboo</username>
         <privateKey>...path to the file...</privateKey>
      
         <configuration>
            <preferredAuthentications>publickey</preferredAuthentications>      
         </configuration>
      </server>
      

      According to the documentation, this authentication option only works if you omit the password element, otherwise privateKey is ignored.

      However, if password is omitted, then preferredAuthentications is ignored, as can be seen in AbstractJschWagon.java :: openConnectionInternal  (line 254)

      if ( authenticationInfo.getPassword() != null )
      {
          config.setProperty( "PreferredAuthentications", preferredAuthentications );
      }
      

       

      Thus, in practice, if you use privateKey based authentication, you cannot control the PreferredAuthentications parameter, and the default value is used: gssapi-with-mic,publickey,password,keyboard-interactive. This triggers Kerberos based authentication as the first option.

      A simple patch to solve this issue is to add to the lines above an else branch, like this:

              if ( authenticationInfo.getPassword() != null )
              {
                  config.setProperty( "PreferredAuthentications", preferredAuthentications );
              }
              else if ( !"gssapi-with-mic,publickey,password,keyboard-interactive".equals( preferredAuthentications ) )
              {
                  // if different then the default, always set
                  config.setProperty( "PreferredAuthentications", preferredAuthentications );
              }
      

       or to remove the the surrounding if-statement all-together 

        Attachments

          Activity

            People

            • Assignee:
              michael-o Michael Osipov
              Reporter:
              lburja Lucian Burja
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: