This is an automated email from the ASF dual-hosted git repository.
twolf pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mina-sshd.git
The following commit(s) were added to refs/heads/master by this push:
new 402918e Allow using an SSH agent without agent forwarding
402918e is described below
commit 402918e03d22f86de77eb3270c8376cc0cb4e06e
Author: Thomas Wolf <tw...@apache.org>
AuthorDate: Sun Oct 24 19:55:12 2021 +0200
Allow using an SSH agent without agent forwarding
It's quite possible to use an SSH agent without agent forwarding.
Apache MINA sshd should not require ChannelForwardingFactories being
implemented by the SshAgentFactory. If it does, fine; if it does not,
it's also fine and agent forwarding will simply not be available.
Agent forwarding comes with a well-known security risk: root on the
server could abuse the forwarded agent. Using the more modern
ProxyJump feature it's possible to connect through jump hosts without
agent forwarding (and without needing to put keys onto the jump host).
So give users the option of providing an SshAgentFactory that only
implements createClient(), but that returns null or an empty list from
getChannelForwardingFactories().
---
.../org/apache/sshd/agent/SshAgentFactory.java | 5 ++--
.../java/org/apache/sshd/client/SshClient.java | 30 ++++++++++------------
2 files changed, 17 insertions(+), 18 deletions(-)
diff --git a/sshd-core/src/main/java/org/apache/sshd/agent/SshAgentFactory.java
b/sshd-core/src/main/java/org/apache/sshd/agent/SshAgentFactory.java
index a528d58..0eac17e 100644
--- a/sshd-core/src/main/java/org/apache/sshd/agent/SshAgentFactory.java
+++ b/sshd-core/src/main/java/org/apache/sshd/agent/SshAgentFactory.java
@@ -33,10 +33,11 @@ public interface SshAgentFactory {
/**
* The channels are requested by the ssh server when forwarding a client
request. The channel will receive agent
- * requests and need to forward them to the agent, either local or through
another proxy.
+ * requests and needs to forward them to the agent, either local or
through another proxy.
*
* @param manager The {@link FactoryManager} through which the request is
made
- * @return The {@link ChannelFactory}-ies used to create channels
on the client side
+ * @return The {@link ChannelFactory}-ies used to create channels
for agent forwarding on the client side.
+ * If {@code null} or empty, agent forwarding is not
available.
*/
List<ChannelFactory> getChannelForwardingFactories(FactoryManager manager);
diff --git a/sshd-core/src/main/java/org/apache/sshd/client/SshClient.java
b/sshd-core/src/main/java/org/apache/sshd/client/SshClient.java
index 015ded1..3329658 100644
--- a/sshd-core/src/main/java/org/apache/sshd/client/SshClient.java
+++ b/sshd-core/src/main/java/org/apache/sshd/client/SshClient.java
@@ -403,25 +403,23 @@ public class SshClient extends AbstractFactoryManager
implements ClientFactoryMa
setKeyIdentityProvider(idsWatcher);
}
- // Register the additional agent forwarding channel if needed
+ // Register the additional agent forwarding channel(s) if needed
SshAgentFactory agentFactory = getAgentFactory();
if (agentFactory != null) {
- List<ChannelFactory> forwarders =
ValidateUtils.checkNotNullAndNotEmpty(
- agentFactory.getChannelForwardingFactories(this),
- "No agent channel forwarding factories for %s",
- agentFactory);
- List<? extends ChannelFactory> factories = getChannelFactories();
- if (GenericUtils.isEmpty(factories)) {
- factories = forwarders;
- } else {
- // create a copy in case un-modifiable original
- List<ChannelFactory> factories2 = new
ArrayList<>(factories.size() + forwarders.size());
- factories2.addAll(factories);
- factories2.addAll(forwarders);
- factories = factories2;
+ List<ChannelFactory> forwarders =
agentFactory.getChannelForwardingFactories(this);
+ if (!GenericUtils.isEmpty(forwarders)) {
+ List<? extends ChannelFactory> factories =
getChannelFactories();
+ if (GenericUtils.isEmpty(factories)) {
+ factories = forwarders;
+ } else {
+ // create a copy in case un-modifiable original
+ List<ChannelFactory> factories2 = new
ArrayList<>(factories.size() + forwarders.size());
+ factories2.addAll(factories);
+ factories2.addAll(forwarders);
+ factories = factories2;
+ }
+ setChannelFactories(factories);
}
-
- setChannelFactories(factories);
}
if (GenericUtils.isEmpty(getServiceFactories())) {
