From cefac9ec81878dfdbbcb0d13843cb2c4430786bc Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Mon, 08 Sep 2014 16:22:42 -0400
Subject: [PATCH] Fix value discarding bug in SafeTextModel
---
src/main/java/com/gitblit/transport/ssh/SshDaemon.java | 343 +++++++++++++++++++-------------------------------------
1 files changed, 119 insertions(+), 224 deletions(-)
diff --git a/src/main/java/com/gitblit/transport/ssh/SshDaemon.java b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java
index b3471a2..261daa6 100644
--- a/src/main/java/com/gitblit/transport/ssh/SshDaemon.java
+++ b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java
@@ -16,83 +16,48 @@
package com.gitblit.transport.ssh;
import java.io.File;
+import java.io.FileOutputStream;
import java.io.IOException;
+import java.io.OutputStreamWriter;
import java.net.InetSocketAddress;
-import java.net.SocketAddress;
-import java.security.InvalidKeyException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
import java.text.MessageFormat;
-import java.util.Arrays;
-import java.util.Iterator;
-import java.util.LinkedList;
-import java.util.List;
import java.util.concurrent.atomic.AtomicBoolean;
-import javax.inject.Inject;
-
-import org.apache.mina.core.future.IoFuture;
-import org.apache.mina.core.future.IoFutureListener;
-import org.apache.mina.core.session.IoSession;
-import org.apache.mina.transport.socket.SocketSessionConfig;
import org.apache.sshd.SshServer;
-import org.apache.sshd.common.Channel;
-import org.apache.sshd.common.Cipher;
-import org.apache.sshd.common.Compression;
-import org.apache.sshd.common.KeyExchange;
-import org.apache.sshd.common.KeyPairProvider;
-import org.apache.sshd.common.Mac;
-import org.apache.sshd.common.NamedFactory;
-import org.apache.sshd.common.Session;
-import org.apache.sshd.common.Signature;
-import org.apache.sshd.common.cipher.AES128CBC;
-import org.apache.sshd.common.cipher.AES192CBC;
-import org.apache.sshd.common.cipher.AES256CBC;
-import org.apache.sshd.common.cipher.BlowfishCBC;
-import org.apache.sshd.common.cipher.TripleDESCBC;
-import org.apache.sshd.common.compression.CompressionNone;
-import org.apache.sshd.common.mac.HMACMD5;
-import org.apache.sshd.common.mac.HMACMD596;
-import org.apache.sshd.common.mac.HMACSHA1;
-import org.apache.sshd.common.mac.HMACSHA196;
-import org.apache.sshd.common.random.BouncyCastleRandom;
-import org.apache.sshd.common.random.SingletonRandomFactory;
-import org.apache.sshd.common.signature.SignatureDSA;
-import org.apache.sshd.common.signature.SignatureRSA;
+import org.apache.sshd.common.io.IoServiceFactoryFactory;
+import org.apache.sshd.common.io.mina.MinaServiceFactoryFactory;
+import org.apache.sshd.common.io.nio2.Nio2ServiceFactoryFactory;
+import org.apache.sshd.common.keyprovider.FileKeyPairProvider;
import org.apache.sshd.common.util.SecurityUtils;
-import org.apache.sshd.server.CommandFactory;
-import org.apache.sshd.server.FileSystemFactory;
-import org.apache.sshd.server.FileSystemView;
-import org.apache.sshd.server.ForwardingFilter;
-import org.apache.sshd.server.PublickeyAuthenticator;
-import org.apache.sshd.server.SshFile;
-import org.apache.sshd.server.UserAuth;
-import org.apache.sshd.server.auth.UserAuthPublicKey;
-import org.apache.sshd.server.channel.ChannelDirectTcpip;
-import org.apache.sshd.server.channel.ChannelSession;
-import org.apache.sshd.server.kex.DHG1;
-import org.apache.sshd.server.kex.DHG14;
-import org.apache.sshd.server.keyprovider.PEMGeneratorHostKeyProvider;
-import org.apache.sshd.server.session.ServerSession;
-import org.apache.sshd.server.session.SessionFactory;
+import org.bouncycastle.openssl.PEMWriter;
import org.eclipse.jgit.internal.JGitText;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import com.gitblit.Constants;
import com.gitblit.IStoredSettings;
import com.gitblit.Keys;
import com.gitblit.manager.IGitblit;
-import com.gitblit.utils.IdGenerator;
+import com.gitblit.transport.ssh.commands.SshCommandFactory;
+import com.gitblit.utils.JnaUtils;
import com.gitblit.utils.StringUtils;
+import com.gitblit.utils.WorkQueue;
+import com.google.common.io.Files;
/**
* Manager for the ssh transport. Roughly analogous to the
- * {@link com.gitblit.git.GitDaemon} class.
- *
- * @author Eric Myhre
- *
+ * {@link com.gitblit.transport.git.GitDaemon} class.
+ *
*/
-public class SshDaemon extends SshServer {
+public class SshDaemon {
private final Logger log = LoggerFactory.getLogger(SshDaemon.class);
+
+ public static enum SshSessionBackend {
+ MINA, NIO2
+ }
/**
* 22: IANA assigned port number for ssh. Note that this is a distinct
@@ -102,93 +67,93 @@
*/
public static final int DEFAULT_PORT = 22;
- private static final String HOST_KEY_STORE = "sshKeyStore.pem";
+ private final AtomicBoolean run;
- private InetSocketAddress myAddress;
-
- private AtomicBoolean run;
-
- @SuppressWarnings("unused")
- private IGitblit gitblit;
+ private final IGitblit gitblit;
+ private final SshServer sshd;
/**
* Construct the Gitblit SSH daemon.
- *
+ *
* @param gitblit
+ * @param workQueue
*/
- @Inject
- SshDaemon(IGitblit gitblit, IdGenerator idGenerator,
- SshCommandFactory factory) {
+ public SshDaemon(IGitblit gitblit, WorkQueue workQueue) {
this.gitblit = gitblit;
- IStoredSettings settings = gitblit.getSettings();
- int port = settings.getInteger(Keys.git.sshPort, 0);
- String bindInterface = settings.getString(Keys.git.sshBindInterface,
- "localhost");
+ IStoredSettings settings = gitblit.getSettings();
+
+ // Ensure that Bouncy Castle is our JCE provider
+ SecurityUtils.setRegisterBouncyCastle(true);
+
+ // Generate host RSA and DSA keypairs and create the host keypair provider
+ File rsaKeyStore = new File(gitblit.getBaseFolder(), "ssh-rsa-hostkey.pem");
+ File dsaKeyStore = new File(gitblit.getBaseFolder(), "ssh-dsa-hostkey.pem");
+ generateKeyPair(rsaKeyStore, "RSA", 2048);
+ generateKeyPair(dsaKeyStore, "DSA", 0);
+ FileKeyPairProvider hostKeyPairProvider = new FileKeyPairProvider();
+ hostKeyPairProvider.setFiles(new String [] { rsaKeyStore.getPath(), dsaKeyStore.getPath(), dsaKeyStore.getPath() });
+
+ // Client public key authenticator
+ CachingPublicKeyAuthenticator keyAuthenticator =
+ new CachingPublicKeyAuthenticator(gitblit.getPublicKeyManager(), gitblit);
+
+ // Configure the preferred SSHD backend
+ String sshBackendStr = settings.getString(Keys.git.sshBackend,
+ SshSessionBackend.NIO2.name());
+ SshSessionBackend backend = SshSessionBackend.valueOf(sshBackendStr);
+ System.setProperty(IoServiceFactoryFactory.class.getName(),
+ backend == SshSessionBackend.MINA
+ ? MinaServiceFactoryFactory.class.getName()
+ : Nio2ServiceFactoryFactory.class.getName());
+
+ // Create the socket address for binding the SSH server
+ int port = settings.getInteger(Keys.git.sshPort, 0);
+ String bindInterface = settings.getString(Keys.git.sshBindInterface, "");
+ InetSocketAddress addr;
if (StringUtils.isEmpty(bindInterface)) {
- myAddress = new InetSocketAddress(port);
+ addr = new InetSocketAddress(port);
} else {
- myAddress = new InetSocketAddress(bindInterface, port);
+ addr = new InetSocketAddress(bindInterface, port);
}
- setPort(myAddress.getPort());
- setHost(myAddress.getHostName());
- setup();
- setKeyPairProvider(new PEMGeneratorHostKeyProvider(new File(
- gitblit.getBaseFolder(), HOST_KEY_STORE).getPath()));
- setPublickeyAuthenticator(new SshKeyAuthenticator(gitblit));
+ // Create the SSH server
+ sshd = SshServer.setUpDefaultServer();
+ sshd.setPort(addr.getPort());
+ sshd.setHost(addr.getHostName());
+ sshd.setKeyPairProvider(hostKeyPairProvider);
+ sshd.setPublickeyAuthenticator(keyAuthenticator);
+ sshd.setPasswordAuthenticator(new UsernamePasswordAuthenticator(gitblit));
+ sshd.setSessionFactory(new SshServerSessionFactory());
+ sshd.setFileSystemFactory(new DisabledFilesystemFactory());
+ sshd.setTcpipForwardingFilter(new NonForwardingFilter());
+ sshd.setCommandFactory(new SshCommandFactory(gitblit, workQueue));
+ sshd.setShellFactory(new WelcomeShell(settings));
+
+ // Set the server id. This can be queried with:
+ // ssh-keyscan -t rsa,dsa -p 29418 localhost
+ String version = String.format("%s (%s-%s)", Constants.getGitBlitVersion().replace(' ', '_'),
+ sshd.getVersion(), sshBackendStr);
+ sshd.getProperties().put(SshServer.SERVER_IDENTIFICATION, version);
run = new AtomicBoolean(false);
- setCommandFactory(factory);
- setSessionFactory(newSessionFactory(idGenerator));
- }
-
- SessionFactory newSessionFactory(final IdGenerator idGenerator) {
- return new SessionFactory() {
- @Override
- protected ServerSession createSession(final IoSession io)
- throws Exception {
- log.info("connection accepted on " + io);
- if (io.getConfig() instanceof SocketSessionConfig) {
- final SocketSessionConfig c = (SocketSessionConfig) io
- .getConfig();
- c.setKeepAlive(true);
- }
- ServerSession s = (ServerSession) super.createSession(io);
- SocketAddress peer = io.getRemoteAddress();
- SshSession session = new SshSession(idGenerator.next(), peer);
- s.setAttribute(SshSession.KEY, session);
- io.getCloseFuture().addListener(
- new IoFutureListener<IoFuture>() {
- @Override
- public void operationComplete(IoFuture future) {
- log.info("connection closed on " + io);
- }
- });
- return s;
- }
- };
- }
-
- public int getPort() {
- return myAddress.getPort();
}
public String formatUrl(String gituser, String servername, String repository) {
- if (getPort() == DEFAULT_PORT) {
+ if (sshd.getPort() == DEFAULT_PORT) {
// standard port
- return MessageFormat.format("{0}@{1}/{2}", gituser, servername,
+ return MessageFormat.format("ssh://{0}@{1}/{2}", gituser, servername,
repository);
} else {
// non-standard port
return MessageFormat.format("ssh://{0}@{1}:{2,number,0}/{3}",
- gituser, servername, getPort(), repository);
+ gituser, servername, sshd.getPort(), repository);
}
}
/**
* Start this daemon on a background thread.
- *
+ *
* @throws IOException
* the server socket could not be opened.
* @throws IllegalStateException
@@ -199,12 +164,15 @@
throw new IllegalStateException(JGitText.get().daemonAlreadyRunning);
}
- super.start();
+ sshd.start();
run.set(true);
+ String sshBackendStr = gitblit.getSettings().getString(Keys.git.sshBackend,
+ SshSessionBackend.NIO2.name());
+
log.info(MessageFormat.format(
- "SSH Daemon is listening on {0}:{1,number,0}", myAddress
- .getAddress().getHostAddress(), myAddress.getPort()));
+ "SSH Daemon ({0}) is listening on {1}:{2,number,0}",
+ sshBackendStr, sshd.getHost(), sshd.getPort()));
}
/** @return true if this daemon is receiving connections. */
@@ -219,117 +187,44 @@
run.set(false);
try {
- super.stop();
+ ((SshCommandFactory) sshd.getCommandFactory()).stop();
+ sshd.stop();
} catch (InterruptedException e) {
log.error("SSH Daemon stop interrupted", e);
}
}
}
- /**
- * Performs most of default configuration (setup random sources, setup
- * ciphers, etc; also, support for forwarding and filesystem is explicitly
- * disallowed).
- *
- * {@link #setKeyPairProvider(KeyPairProvider)} and
- * {@link #setPublickeyAuthenticator(PublickeyAuthenticator)} are left for
- * you. And applying {@link #setCommandFactory(CommandFactory)} is probably
- * wise if you want something to actually happen when users do successfully
- * authenticate.
- */
- @SuppressWarnings("unchecked")
- public void setup() {
- if (!SecurityUtils.isBouncyCastleRegistered())
- throw new RuntimeException("BC crypto not available");
+ private void generateKeyPair(File file, String algorithm, int keySize) {
+ if (file.exists()) {
+ return;
+ }
+ try {
+ KeyPairGenerator generator = SecurityUtils.getKeyPairGenerator(algorithm);
+ if (keySize != 0) {
+ generator.initialize(keySize);
+ log.info("Generating {}-{} SSH host keypair...", algorithm, keySize);
+ } else {
+ log.info("Generating {} SSH host keypair...", algorithm);
+ }
+ KeyPair kp = generator.generateKeyPair();
- setKeyExchangeFactories(Arrays.<NamedFactory<KeyExchange>> asList(
- new DHG14.Factory(), new DHG1.Factory()));
+ // create an empty file and set the permissions
+ Files.touch(file);
+ try {
+ JnaUtils.setFilemode(file, JnaUtils.S_IRUSR | JnaUtils.S_IWUSR);
+ } catch (UnsatisfiedLinkError | UnsupportedOperationException e) {
+ // Unexpected/Unsupported OS or Architecture
+ }
- setRandomFactory(new SingletonRandomFactory(
- new BouncyCastleRandom.Factory()));
-
- setupCiphers();
-
- setCompressionFactories(Arrays
- .<NamedFactory<Compression>> asList(new CompressionNone.Factory()));
-
- setMacFactories(Arrays.<NamedFactory<Mac>> asList(
- new HMACMD5.Factory(), new HMACSHA1.Factory(),
- new HMACMD596.Factory(), new HMACSHA196.Factory()));
-
- setChannelFactories(Arrays.<NamedFactory<Channel>> asList(
- new ChannelSession.Factory(), new ChannelDirectTcpip.Factory()));
-
- setSignatureFactories(Arrays.<NamedFactory<Signature>> asList(
- new SignatureDSA.Factory(), new SignatureRSA.Factory()));
-
- setFileSystemFactory(new FileSystemFactory() {
- @Override
- public FileSystemView createFileSystemView(Session session)
- throws IOException {
- return new FileSystemView() {
- @Override
- public SshFile getFile(SshFile baseDir, String file) {
- return null;
- }
-
- @Override
- public SshFile getFile(String file) {
- return null;
- }
- };
- }
- });
-
- setForwardingFilter(new ForwardingFilter() {
- @Override
- public boolean canForwardAgent(ServerSession session) {
- return false;
- }
-
- @Override
- public boolean canForwardX11(ServerSession session) {
- return false;
- }
-
- @Override
- public boolean canConnect(InetSocketAddress address,
- ServerSession session) {
- return false;
- }
-
- @Override
- public boolean canListen(InetSocketAddress address,
- ServerSession session) {
- return false;
- }
- });
-
- setUserAuthFactories(Arrays
- .<NamedFactory<UserAuth>> asList(new UserAuthPublicKey.Factory()));
- }
-
- protected void setupCiphers() {
- List<NamedFactory<Cipher>> avail = new LinkedList<NamedFactory<Cipher>>();
- avail.add(new AES128CBC.Factory());
- avail.add(new TripleDESCBC.Factory());
- avail.add(new BlowfishCBC.Factory());
- avail.add(new AES192CBC.Factory());
- avail.add(new AES256CBC.Factory());
-
- for (Iterator<NamedFactory<Cipher>> i = avail.iterator(); i.hasNext();) {
- final NamedFactory<Cipher> f = i.next();
- try {
- final Cipher c = f.create();
- final byte[] key = new byte[c.getBlockSize()];
- final byte[] iv = new byte[c.getIVSize()];
- c.init(Cipher.Mode.Encrypt, key, iv);
- } catch (InvalidKeyException e) {
- i.remove();
- } catch (Exception e) {
- i.remove();
- }
- }
- setCipherFactories(avail);
- }
+ FileOutputStream os = new FileOutputStream(file);
+ PEMWriter w = new PEMWriter(new OutputStreamWriter(os));
+ w.writeObject(kp);
+ w.flush();
+ w.close();
+ } catch (Exception e) {
+ log.warn(MessageFormat.format("Unable to generate {0} keypair", algorithm), e);
+ return;
+ }
+ }
}
--
Gitblit v1.9.1