Skip to content

Public key validation fails when SFTP server has multiple different key types #8701

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
adnsimona opened this issue Aug 14, 2023 · 4 comments
Closed

Public key validation fails when SFTP server has multiple different key types #8701

adnsimona opened this issue Aug 14, 2023 · 4 comments
Labels
in: sftp status: duplicate There is already an issue similar to this. The link to it should be present type: bug

Comments

@adnsimona
Copy link

In what version(s) of Spring Integration are you seeing this issue?

6.0.6

Describe the bug

When the SFTP server has multiple keys the public key validator not selecting the type described in the known_hosts file,
but asks down a random one from the server and then it loads the known_hosts to compare.
I did not found any option to force a certain public key type gathered from the server.

To Reproduce

See "Describe the bug"

Expected behavior

A) There is some setting to force a certain key type to load from the server
B) Loading the key type from the server described in the known_hosts in case of many different keys.

Sample

To make a sample an sftp server must be configured with multiple keys (ssh-rsa, ecdsa-sha2-nistp256), and try to connect to it using the DefaultSftpSessionFactory. With setting the known_hosts with an ssh-rsa entry for that server and allowUnknownKeys to false.
@adnsimona adnsimona added status: waiting-for-triage The issue need to be evaluated and its future decided type: bug labels Aug 14, 2023
@adnsimona
Copy link
Author

It looks like only one (maybe the first in type name order?) key is loaded into Apache sshd-core/AbstractClientSession that calls the verify method that is implemented from sshd's interface (ServerKeyVerifier) by this repository's sftp library' class (ResourceKnownHostsServerKeyVerifier). This would be a change for both sshd and spring-integration/sftp

  • sshd: Pass all server keys to the interface for validation
  • spring-sftp: Compare all of the server keys with all of the known_hosts (can also contain multiple keys for same server) and find a match.

@artembilan
Copy link
Member

It looks like this is a duplication of #8674.
We have a fix there for matching different key types as well.

Please, consider to test your solution against 6.0.7-SNAPSHOT.
We are planning to release it next week.

@artembilan artembilan added status: waiting-for-reporter Needs a feedback from the reporter in: sftp and removed status: waiting-for-triage The issue need to be evaluated and its future decided labels Aug 14, 2023
@artembilan
Copy link
Member

6.1.2 has that fix though.
And yes, Apache MINA and its KnownHostsServerKeyVerifier still has to be fixed for key type comparison:

String serverKeyType = KeyUtils.getKeyType(serverKey);
...
.filter(match -> serverKeyType.equals(match.getHostEntry().getKeyEntry().getKeyType()))

@artembilan
Copy link
Member

Closed as duplication of: #8674

@artembilan artembilan added status: duplicate There is already an issue similar to this. The link to it should be present and removed status: waiting-for-reporter Needs a feedback from the reporter labels Aug 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: sftp status: duplicate There is already an issue similar to this. The link to it should be present type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@artembilan @adnsimona