Closed miurahr closed 2 months ago
In the change in #25, it try to catch exception when trying reading a private key, but it did not catch because apache sshd raises StreamCorruptedException
but not GeneralSecurityException
.
} catch (GeneralSecurityException e) {
// ignore in case this is not a derived key path, as in most
// cases this specifies a private key
if (isDerived) {
log.warn("{}", //$NON-NLS-1$
format(SshdText.get().cannotReadPublicKey, keyFile),
e);
}
Gerrit change 1194667 will fix that.
Version
6.9.0.202403050737-r
Operating System
Linux/Unix
Bug description
Issue #25 changes to try a file path specified in IdentityFile then try with an file extension ".pub". When user use traditional configuration that IdentityFile path is secret key on file system, JGit and apache MINA sshd library raise an exception and show a stack trace. A problem is only raised when user also configure
IdentiesOnly = yes
.Here is gerrit entry of the change https://eclipse.gerrithub.io/c/eclipse-jgit/jgit/+/1177073/6/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java
In previous code,
It just adding ".pub" and check it, then no exception was observed.
Actual behavior
Record stack trace in log file.
Expected behavior
Run without exception or don't show a stack trace.
I think we can check existence of public key before try a file path of
IdentityFile
specified.Approach 1. Check existence of file path
Path p = Paths.get(s + ".pub"); //$NON-NLS-1$
and if exists, try it first.Approach 2. Check specified path endsWith ".pub"
There is not necessary to put a file name rule in a new approach that file system hold only a public key and secret key is in HSM, approach 2 is not stable for future. Old style always has "foo.pub" and "foo" key pair, so approach 1 is better.
Relevant log output
Other information
No response