From 9abd93f3db6518fad3d0b3d367fe0fb3929bc981b17a1a1068a6a96665b0e2e7 Mon Sep 17 00:00:00 2001 From: Gus Kenion Date: Wed, 21 Feb 2024 08:15:53 +0000 Subject: [PATCH 01/14] rpm 4.20 compat OBS-URL: https://build.opensuse.org/package/show/Java:packages/apache-sshd?expand=0&rev=26 --- .gitattributes | 23 + .gitignore | 1 + ...ependency-on-native-tomcat-APR-libra.patch | 105 +++++ apache-sshd-2.12.0-src.tar.gz | 3 + apache-sshd-javadoc.patch | 201 ++++++++ apache-sshd.changes | 443 ++++++++++++++++++ apache-sshd.spec | 125 +++++ 7 files changed, 901 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 0001-Avoid-optional-dependency-on-native-tomcat-APR-libra.patch create mode 100644 apache-sshd-2.12.0-src.tar.gz create mode 100644 apache-sshd-javadoc.patch create mode 100644 apache-sshd.changes create mode 100644 apache-sshd.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/0001-Avoid-optional-dependency-on-native-tomcat-APR-libra.patch b/0001-Avoid-optional-dependency-on-native-tomcat-APR-libra.patch new file mode 100644 index 0000000..bcb8b0c --- /dev/null +++ b/0001-Avoid-optional-dependency-on-native-tomcat-APR-libra.patch @@ -0,0 +1,105 @@ +From accd3e006a05615cf6eed9369d91fbedcc4eab16 Mon Sep 17 00:00:00 2001 +From: Mat Booth +Date: Thu, 7 Mar 2019 11:27:55 +0000 +Subject: [PATCH] Avoid optional dependency on native tomcat APR library + +--- + pom.xml | 5 ----- + sshd-core/pom.xml | 6 ------ + .../sshd/agent/local/ProxyAgentFactory.java | 16 +--------------- + sshd-osgi/pom.xml | 6 ------ + 4 files changed, 1 insertion(+), 32 deletions(-) + +diff --git a/pom.xml b/pom.xml +index 867ca88..7c29678 100644 +--- a/pom.xml ++++ b/pom.xml +@@ -434,11 +434,6 @@ + mina-core + 2.0.23 + +- +- tomcat +- tomcat-apr +- 5.5.23 +- + + + net.i2p.crypto +diff --git a/sshd-core/pom.xml b/sshd-core/pom.xml +index 6171c5c..73a43a7 100644 +--- a/sshd-core/pom.xml ++++ b/sshd-core/pom.xml +@@ -43,12 +43,6 @@ + + + +- tomcat +- tomcat-apr +- true +- +- +- + org.bouncycastle + bcpg-jdk18on + true +diff --git a/sshd-core/src/main/java/org/apache/sshd/agent/local/ProxyAgentFactory.java b/sshd-core/src/main/java/org/apache/sshd/agent/local/ProxyAgentFactory.java +index ab19539..5757e68 100644 +--- a/sshd-core/src/main/java/org/apache/sshd/agent/local/ProxyAgentFactory.java ++++ b/sshd-core/src/main/java/org/apache/sshd/agent/local/ProxyAgentFactory.java +@@ -27,8 +27,6 @@ import java.util.concurrent.atomic.AtomicBoolean; + import org.apache.sshd.agent.SshAgent; + import org.apache.sshd.agent.SshAgentFactory; + import org.apache.sshd.agent.SshAgentServer; +-import org.apache.sshd.agent.unix.AprLibrary; +-import org.apache.sshd.agent.unix.UnixAgentFactory; + import org.apache.sshd.common.FactoryManager; + import org.apache.sshd.common.PropertyResolver; + import org.apache.sshd.common.channel.ChannelFactory; +@@ -51,9 +49,7 @@ public class ProxyAgentFactory implements SshAgentFactory { + + @Override + public List getChannelForwardingFactories(FactoryManager manager) { +- return isPreferredUnixAgent(manager) +- ? UnixAgentFactory.DEFAULT_FORWARDING_CHANNELS +- : LocalAgentFactory.DEFAULT_FORWARDING_CHANNELS; ++ return LocalAgentFactory.DEFAULT_FORWARDING_CHANNELS; + } + + @Override +@@ -104,16 +100,6 @@ public class ProxyAgentFactory implements SshAgentFactory { + } + + public static boolean isPreferredUnixAgent(PropertyResolver resolver) { +- if (CoreModuleProperties.PREFER_UNIX_AGENT.getRequired(resolver)) { +- try { +- if (AprLibrary.getInstance() != null) { +- return true; +- } +- } catch (Exception ignore) { +- // ignored +- } +- } +- + return false; + } + } +diff --git a/sshd-osgi/pom.xml b/sshd-osgi/pom.xml +index 5395ceb..f456263 100644 +--- a/sshd-osgi/pom.xml ++++ b/sshd-osgi/pom.xml +@@ -81,12 +81,6 @@ + true + provided + +- +- tomcat +- tomcat-apr +- true +- provided +- + + + +-- +2.20.1 diff --git a/apache-sshd-2.12.0-src.tar.gz b/apache-sshd-2.12.0-src.tar.gz new file mode 100644 index 0000000..342ee39 --- /dev/null +++ b/apache-sshd-2.12.0-src.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e8198fd90ca8089a71547300a7a8f6e853dd5fea6095a6887f79564849e76bd8 +size 1857423 diff --git a/apache-sshd-javadoc.patch b/apache-sshd-javadoc.patch new file mode 100644 index 0000000..5cbde5f --- /dev/null +++ b/apache-sshd-javadoc.patch @@ -0,0 +1,201 @@ +--- apache-sshd-2.12.0/sshd-common/src/main/java/org/apache/sshd/client/auth/password/PasswordIdentityProvider.java 2024-01-19 22:39:38.007238345 +0100 ++++ apache-sshd-2.12.0/sshd-common/src/main/java/org/apache/sshd/client/auth/password/PasswordIdentityProvider.java 2024-01-19 22:39:58.550160515 +0100 +@@ -36,7 +36,7 @@ + public interface PasswordIdentityProvider { + + /** +- * An "empty" implementation of {@link PasswordIdentityProvider} that returns an empty group of passwords ++ * An "empty" implementation of {@link PasswordIdentityProvider} that returns an empty group of passwords + */ + PasswordIdentityProvider EMPTY_PASSWORDS_PROVIDER = new PasswordIdentityProvider() { + @Override +--- apache-sshd-2.12.0/sshd-common/src/main/java/org/apache/sshd/common/config/keys/KeyUtils.java 2024-01-19 22:39:38.013904878 +0100 ++++ apache-sshd-2.12.0/sshd-common/src/main/java/org/apache/sshd/common/config/keys/KeyUtils.java 2024-01-19 22:39:58.556827049 +0100 +@@ -766,7 +766,7 @@ + * @param expected The expected fingerprint if {@code null} or empty then returns a failure with the default + * fingerprint. + * @param key the {@link PublicKey} - if {@code null} then returns null. +- * @return SimpleImmutableEntry - key is success indicator, value is actual fingerprint, ++ * @return SimpleImmutableEntry<Boolean, String> - key is success indicator, value is actual fingerprint, + * {@code null} if no key. + * @see #getDefaultFingerPrintFactory() + * @see #checkFingerPrint(String, Factory, PublicKey) +@@ -780,7 +780,7 @@ + * fingerprint. + * @param f The {@link Factory} to be used to generate the default {@link Digest} for the key + * @param key the {@link PublicKey} - if {@code null} then returns null. +- * @return SimpleImmutableEntry - key is success indicator, value is actual fingerprint, ++ * @return SimpleImmutableEntry<Boolean, String> - key is success indicator, value is actual fingerprint, + * {@code null} if no key. + */ + public static SimpleImmutableEntry checkFingerPrint( +@@ -793,7 +793,7 @@ + * fingerprint. + * @param d The {@link Digest} to be used to generate the default fingerprint for the key + * @param key the {@link PublicKey} - if {@code null} then returns null. +- * @return SimpleImmutableEntry - key is success indicator, value is actual fingerprint, ++ * @return SimpleImmutableEntry<Boolean, String> - key is success indicator, value is actual fingerprint, + * {@code null} if no key. + */ + public static SimpleImmutableEntry checkFingerPrint(String expected, Digest d, PublicKey key) { +--- apache-sshd-2.12.0/sshd-common/src/main/java/org/apache/sshd/common/config/keys/loader/openssh/OpenSSHKeyPairResourceParser.java 2024-01-19 22:39:38.010571611 +0100 ++++ apache-sshd-2.12.0/sshd-common/src/main/java/org/apache/sshd/common/config/keys/loader/openssh/OpenSSHKeyPairResourceParser.java 2024-01-19 22:39:58.556827049 +0100 +@@ -63,9 +63,7 @@ + import org.apache.sshd.common.util.security.SecurityUtils; + + /** +- * Basic support for OpenSSH +- * key file(s) ++ * Basic support for OpenSSH key file(s) + * + * @author Apache MINA SSHD Project + */ +--- apache-sshd-2.12.0/sshd-common/src/main/java/org/apache/sshd/common/util/buffer/keys/BufferPublicKeyParser.java 2024-01-19 22:39:38.020571412 +0100 ++++ apache-sshd-2.12.0/sshd-common/src/main/java/org/apache/sshd/common/util/buffer/keys/BufferPublicKeyParser.java 2024-01-19 22:39:58.563493582 +0100 +@@ -64,13 +64,13 @@ + SkED25519BufferPublicKeyParser.INSTANCE)); + + /** +- * @param keyType The key type - e.g., "ssh-rsa", "ssh-dss" ++ * @param keyType The key type - e.g., "ssh-rsa", "ssh-dss" + * @return {@code true} if this key type is supported by the parser + */ + boolean isKeyTypeSupported(String keyType); + + /** +- * @param keyType The key type - e.g., "ssh-rsa", "ssh-dss" ++ * @param keyType The key type - e.g., "ssh-rsa", "ssh-dss" + * @param buffer The {@link Buffer} containing the encoded raw public key + * @return The decoded {@link PublicKey} + * @throws GeneralSecurityException If failed to generate the key +--- apache-sshd-2.12.0/sshd-common/src/main/java/org/apache/sshd/common/util/GenericUtils.java 2024-01-19 22:39:38.023904678 +0100 ++++ apache-sshd-2.12.0/sshd-common/src/main/java/org/apache/sshd/common/util/GenericUtils.java 2024-01-19 22:39:58.570160116 +0100 +@@ -112,10 +112,11 @@ + * @param with String to replace with + * @param max maximum number of values to replace, or -1 if no maximum + * @return the text with any replacements processed +- * @author Arnout J. Kuiper ajkuiper@wxs.nl +- * @author Magesh Umasankar +- * @author Bruce Atherton +- * @author Antoine Levy-Lambert ++ * ++ * author Arnout J. Kuiper ajkuiper@wxs.nl ++ * author Magesh Umasankar ++ * author Bruce Atherton ++ * author Antoine Levy-Lambert + */ + @SuppressWarnings("PMD.AssignmentInOperand") + public static String replace(String text, String repl, String with, int max) { +--- apache-sshd-2.12.0/sshd-common/src/main/java/org/apache/sshd/common/util/io/der/DERWriter.java 2024-01-19 22:39:38.020571412 +0100 ++++ apache-sshd-2.12.0/sshd-common/src/main/java/org/apache/sshd/common/util/io/der/DERWriter.java 2024-01-19 22:39:58.573493382 +0100 +@@ -76,7 +76,7 @@ + } + + /** +- * The integer is always considered to be positive, so if the first byte is < 0, we pad with a zero to make it ++ * The integer is always considered to be positive, so if the first byte is < 0, we pad with a zero to make it + * positive + * + * @param bytes {@link BigInteger} bytes +@@ -87,7 +87,7 @@ + } + + /** +- * The integer is always considered to be positive, so if the first byte is < 0, we pad with a zero to make it ++ * The integer is always considered to be positive, so if the first byte is < 0, we pad with a zero to make it + * positive + * + * @param bytes {@link BigInteger} bytes +--- apache-sshd-2.12.0/sshd-common/src/main/java/org/apache/sshd/common/util/OsUtils.java 2024-01-19 22:39:38.027237945 +0100 ++++ apache-sshd-2.12.0/sshd-common/src/main/java/org/apache/sshd/common/util/OsUtils.java 2024-01-19 22:39:58.580159916 +0100 +@@ -334,7 +334,7 @@ + } + + /** +- * Remove {@code Windows} domain and/or group prefix as well as "(User);" suffix ++ * Remove {@code Windows} domain and/or group prefix as well as "(User);" suffix + * + * @param user The original username - ignored if {@code null}/empty + * @return The canonical user - unchanged if {@code Unix} O/S +--- apache-sshd-2.12.0/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityUtils.java 2024-01-19 22:39:38.023904678 +0100 ++++ apache-sshd-2.12.0/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityUtils.java 2024-01-19 22:39:58.580159916 +0100 +@@ -120,7 +120,7 @@ + /** + * The min. key size value used for testing whether Diffie-Hellman Group Exchange is supported or not. According to + * RFC 4419 section 3: "Servers and clients SHOULD support +- * groups with a modulus length of k bits, where 1024 <= k <= 8192". ++ * groups with a modulus length of k bits, where 1024 <= k <= 8192". + * + * Note: this has been amended by RFC 8270 + */ +--- apache-sshd-2.12.0/sshd-core/src/main/java/org/apache/sshd/client/session/ClientProxyConnector.java 2024-01-19 22:39:38.050570811 +0100 ++++ apache-sshd-2.12.0/sshd-core/src/main/java/org/apache/sshd/client/session/ClientProxyConnector.java 2024-01-19 22:39:58.580159916 +0100 +@@ -23,8 +23,8 @@ + + /** + * Provides a way to implement proxied connections where some metadata about the client is sent before the actual +- * SSH protocol is executed - e.g., the PROXY +- * protocol. The implementor should use the {@code IoSession#write(Buffer)} method to send any packets with the ++ * SSH protocol is executed - e.g., the PROXY protocol. ++ * The implementor should use the {@code IoSession#write(Buffer)} method to send any packets with the + * meta-data. + * + * @author Apache MINA SSHD Project +--- apache-sshd-2.12.0/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java 2024-01-19 22:39:38.057237344 +0100 ++++ apache-sshd-2.12.0/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java 2024-01-19 22:39:58.586826449 +0100 +@@ -67,7 +67,7 @@ + + /** + * The default {@link BuiltinCiphers} setup in order of preference as specified by +- * ssh_config(5) ++ * ssh_config(5) + */ + public static final List DEFAULT_CIPHERS_PREFERENCE = Collections.unmodifiableList( + Arrays.asList( +@@ -83,7 +83,7 @@ + + /** + * The default {@link BuiltinDHFactories} setup in order of preference as specified by +- * ssh_config(5) ++ * ssh_config(5) + */ + public static final List DEFAULT_KEX_PREFERENCE = Collections.unmodifiableList( + Arrays.asList( +@@ -104,7 +104,7 @@ + + /** + * The default {@link BuiltinMacs} setup in order of preference as specified by +- * ssh_config(5) ++ * ssh_config(5) + */ + public static final List DEFAULT_MAC_PREFERENCE = Collections.unmodifiableList( + Arrays.asList( +--- apache-sshd-2.12.0/sshd-core/src/main/java/org/apache/sshd/common/session/Session.java 2024-01-19 22:39:38.057237344 +0100 ++++ apache-sshd-2.12.0/sshd-core/src/main/java/org/apache/sshd/common/session/Session.java 2024-01-19 22:39:58.590159716 +0100 +@@ -224,11 +224,11 @@ + * {@link Buffer} to the given {@link ReplyHandler}, which may execute in a different thread. + * + *
+- *
want-reply == true && replyHandler != null
++ *
want-reply == true && replyHandler != null
+ *
The returned future is fulfilled with {@code null} when the request was sent, or with an exception if the + * request could not be sent. The {@code replyHandler} is invoked once the reply is received, with the SSH reply + * code and the data received.
+- *
want-reply == true && replyHandler == null
++ *
want-reply == true && replyHandler == null
+ *
The returned future is fulfilled with an exception if the request could not be sent, or a failure reply was + * received. If a success reply was received, the future is fulfilled with the received data buffer.
+ *
want-reply == false
+--- apache-sshd-2.12.0/sshd-core/src/main/java/org/apache/sshd/server/session/ServerProxyAcceptor.java 2024-01-19 22:39:38.060570610 +0100 ++++ apache-sshd-2.12.0/sshd-core/src/main/java/org/apache/sshd/server/session/ServerProxyAcceptor.java 2024-01-19 22:39:58.593492983 +0100 +@@ -23,8 +23,7 @@ + + /** + * Provides a way to implement proxied connections where some metadata about the client is sent before the actual +- * SSH protocol is executed - e.g., the PROXY +- * protocol. ++ * SSH protocol is executed - e.g., the PROXY protocol. + * + * @author Apache MINA SSHD Project + */ diff --git a/apache-sshd.changes b/apache-sshd.changes new file mode 100644 index 0000000..69a297d --- /dev/null +++ b/apache-sshd.changes @@ -0,0 +1,443 @@ +------------------------------------------------------------------- +Wed Feb 21 08:15:48 UTC 2024 - Gus Kenion + +- Use %patch -P N instead of deprecated %patchN. + +------------------------------------------------------------------- +Tue Feb 20 11:07:06 UTC 2024 - Dominique Leuenberger + +- Use %patch -P N instead of deprecated %patchN. + +------------------------------------------------------------------- +Fri Jan 19 22:17:57 UTC 2024 - Fridrich Strba + +- Updated to upstream version 2.12.0 +- Changes in version 2.11.0 + * Bug Fixes + + GH-328 Added configurable timeout(s) to DefaultSftpClient + + GH-370 Also compare file keys in ModifiableFileWatcher. + + GH-371 Fix channel pool in SftpFileSystem. + + GH-383 Use correct default OpenOptions in + SftpFileSystemProvider.newFileChannel(). + + GH-384 Use correct lock modes for SFTP FileChannel.lock(). + + GH-388 ScpClient: support issuing commands to a server that + uses a non-UTF-8 locale. + + GH-398 SftpInputStreamAsync: fix reporting EOF on zero-length + reads. + + GH-403 Work-around a bug in WS_FTP <= 12.9 SFTP clients. + + GH-407 (Regression in 2.10.0) SFTP performance fix: override + FilterOutputStream.write(byte[], int, int). + + GH-410 Fix a race condition to ensure SSH_MSG_CHANNEL_EOF is + always sent before SSH_MSG_CHANNEL_CLOSE. + + GH-414 Fix error handling while flushing queued packets at end + of KEX. + + GH-420 Fix wrong log level on closing an Nio2Session. + + SSHD-789 Fix detection of Android O/S from system properties. + + SSHD-1259 Consider all applicable host keys from the + known_hosts files. + + SSHD-1310 SftpFileSystem: do not close user session. + + SSHD-1327 ChannelAsyncOutputStream: remove write future when + done. + + SSHD-1332 (Regression in 2.10.0) Resolve ~ in IdentityFile + file names in HostConfigEntry. + * New Features + + SSHD-1330 Use KeepAliveHandler global request instance in + client as well + + GH-356 Publish snapshot maven artifacts to the Apache + Snapshots maven repository. + + Bundle sshd-contrib has support classes for the HAProxy + protocol V2. +- Changes in version 2.12.0 + * Bug Fixes + + GH-428/GH-392 SCP client fails silently when error signalled + due to missing file or lacking permissions + + GH-434 Ignore unknown key types from agent or in OpenSSH host + keys extension + * New Features + + GH-429 Support GIT protocol-v2 + + GH-445 OpenSSH "strict key exchange" protocol extension + (CVE-2023-48795, bsc#1218189 mitigation) +- Modified patch: + * apache-sshd-javadoc.patch + + rediff to changed context and drop integrated hunks + +------------------------------------------------------------------- +Wed Oct 11 09:03:24 UTC 2023 - Fridrich Strba + +- Upgrade to upstrem version 2.10.0 + * Bug + + SSHD-1295: Connection attempt not canceled when a connection + timeout occurs + + SSHD-1316: Possible OOM in ChannelPipedInputStream + + SSHD-1319: SftpRemotePathChannel.transferFrom(...) ignores + position argument + + SSHD-1324: Rooted file system can leak informations + + SSHD-1326: Failed to establish an SSH connection because the + server identifier exceeds the int range + * Improvement + + SSHD-1315: Password in clear in SSHD server's logs +- Modified patch: + * 0001-Avoid-optional-dependency-on-native-tomcat-APR-libra.patch + + rediff to changed context + +------------------------------------------------------------------- +Fri Feb 10 07:26:34 UTC 2023 - Fridrich Strba + +- Clean-up the spec a bit + +------------------------------------------------------------------- +Wed Nov 16 11:36:21 UTC 2022 - Fridrich Strba + +- Upgrade to version 2.9.2 (bsc#1205463, CVE-2022-45047) +- Changes in version 2.8.0 + * Bug + + Wrong server key algorithm choose + + Expiration of OpenSshCertificates needs to compare timestamps + as unsigned long + + SFTP Get downloads empty file from servers which supports EOF + indication after data + + skip() doesn't work properly in SftpInputStreamAsync + + OpenMode and CopyMode is not honored as expected in + version > 4 of SFTP api + + SftpTransferTest sometimes hangs (failure during rekeying) + + Race condition in KEX + + Fix the ciphers supported documentation + + Update tarLongFileMode to use POSIX + + WinsCP transfer failure to Apache SSHD Server + + Pubkey auth: keys from ssh-agent are used even if + HostConfigEntry.isIdentitiesOnly() is true + + Support RSA SHA2 signatures via SSH agent + + NOTICE: wrong copyright year range + + Wrong creationTime in writeAttrs for SFTP + + sshd-netty logs all traffic on INFO level + * New Feature + + Add support for chacha20-poly1305@openssh.com + + Parsing of ~/.ssh/config Host patterns fails with extra + whitespace + + Support generating OpenSSH client certificates + * Improvement + + Add support for curve25519-sha256@libssh.org key exchange + + OpenSSH certificates: check certificate type + + OpenSSHCertificatesTest: certificates expire in 2030 + + Display IdleTimeOut in more user-friendly format + + sendChunkIfRemoteWindowIsSmallerThanPacketSize flag in + ChannelAsyncOutputStream constructor configurable from + outside using variable/config file + + Intercepting the server exception message from server in SSHD + client + + Implement RFC 8332 server-sig-algs on the server + + Slow performance listing huge number of files on Apache SSHD + server + + SFTP: too many LSTAT calls + + Support key constraints when adding a key to an SSH agent + + Add SFTP server side file custom attributes hook + * Task + + Make sure the project is built using a 1.8 + * Question + + UserInteraction Problem +- Changes of vesion 2.9.0 + * Bug + + Deadlock on disconnection at the end of key-exchange + + Remote port forwarding mode does not handle EOF properly + + Public key authentication: wrong signature algorithm used + (ed25519 key with ssh-rsa signature) + + Client fails window adjust above Integer.MAX_VALUE + + class loader fails to load + org.apache.sshd.common.cipher.BaseGCMCipher + + Shell is not getting closed if the command has already closed + the OutputStream it is using. + + Sometimes async write listener is not called + + Unhandled SSH_MSG_CHANNEL_WINDOW_ADJUST leeds to + SocketTimeoutException + + different host key algorithm used on rekey than used for the + initial connection + + OpenSSH certificate is not properly encoded when critical + options are included + + TCP/IP remote port forwarding with wildcard IP addresses + doesn't work with OpenSSH + + UserAuthPublicKey: uses ssh-rsa signatures for RSA keys from + an agent + * New Feature + + Add support for Argon2 encrypted PUTTY key files + + Add support for merged inverted output and error streams of + remote process + * Improvement + + Add support for "limits@openssh.com" SFTP extension + + Support host-based pubkey authentication in the client + + Send environment variable and open subsystem at the same time + for SSH session +- Changes of version 2.9.1 + * Bug + + ClientSession.auth().verify() is terminated with timeout + + 2.9.0 release broken on Java 8 + + Infinite loop in + org.apache.sshd.sftp.client.impl.SftpInputStreamAsync#doRead + + Deadlock during session exit + + Race condition is logged in ChannelAsyncOutputStream +- Changes of version 2.9.2 + * Bug + + SFTP worker threads got stuck while processing PUT methods + against one specific SFTP server + + Use the maximum packet size of the communication partner + + ExplicitPortForwardingTracker does not unbind auto-allocated + one + + Default SshClient FD leak because Selector not closed + + Reading again from exhausted ChannelExec#getInvertedOut() + throws IOException instead of returning -1 + + Keeping error streams and input streams separate after + ChannelExec#setRedirectErrorStream(true) is called + + Nio2Session.shutdownOutput() should wait for writes in + progress + * Test + + Research intermittent failure in unit tests using various I/O + service factories +- Modified patch: + * 0001-Avoid-optional-dependency-on-native-tomcat-APR-libra.patch + + rediff to changed context +- Removed patches: + * 0002-Fix-manifest-generation.patch + + not needed any more in this version + * apache-sshd-2.7.0-java8.patch + + not needed since the Java 8 compatibility is handled by the + --release option +- Added patch: + * apache-sshd-javadoc.patch + + Fix different warnings in javadoc generation + +------------------------------------------------------------------- +Fri Jul 30 08:13:19 UTC 2021 - Fridrich Strba + +- Upgrade to version 2.7.0 +- Changes in version 2.5.0 + * Major code re-factoring + + Reception of an SSH_MSG_UNIMPLEMENTED response to a + SSH_MSG_GLOBAL_REQUEST is translated internally into same code + flow as if an SSH_MSH_REQUEST_FAILURE has been received - see + SSHD-968. + + Server SFTP subsystem internal code dealing with the local + files has been delegated to the SftpFileSystemAccessor in + order to allow easier hooking into the SFTP subsystem. + - Resolving a local file path for an SFTP remote one + - Reading/Writing a file's attribute(s) + - Creating files links + - Copying / Renaming / Deleting files + + SftpVersionSelector is now consulted when client sends initial + command (as well as when session is re-negotiated) + + ScpCommandFactory is also a ShellFactory that can be used to + provide a minimalistic shell that is good enough for WinSCP. + + Rework SFTP streams so that the client asks and receives as + much data as possible - see SSHD-979. + * Minor code helpers + + Handling of debug/ignore/unimplemented messages has been split + into handleXXX and doInvokeXXXMsgHandler methods where the + former validate the messages and deal with the idle timeout, + and the latter execute the actual invcation. + + Added overloaded methods that accept a java.time.Duration + specifier for timeout value. + + The argument representing the SFTP subsystem in invocations to + SftpFileSystemAccessor has been enhanced to expose as much of + the available functionality as possible. + * Behavioral changes and enhancements + + SSHD-964 - Send SSH_MSG_CHANNEL_EOF when tunnel channel being + closed. + + SSHD-967 - Extra bytes written when + SftpRemotePathChannel#transferTo is used. + + SSHD-968 - Interpret SSH_MSG_UNIMPLEMENTED response to a + heartbeat request as a liveness indicator + + SSHD-970 - transferTo function of SftpRemotePathChannel will + loop if count parameter is greater than file size + + SSHD-972 - Add support for peers using OpenSSH "security key" + key types + + SSHD-977 - Apply consistent logging policy to caught + exceptions + + SSHD-660 - Added support for server-side signed certificate + keys + + SSHD-984 - Utility method to export KeyPair in OpenSSH format + + SSHD-992 - Provide more hooks into the SFTP server subsystem + via SftpFileSystemAccessor + + SSHD-997 - Fixed OpenSSH private key decoders for RSA and + Ed25519 + + SSHD-998 - Take into account SFTP version preference when + establishing initial channel + + SSHD-989 - Read correctly ECDSA key pair from PKCS8 encoded + data + + SSHD-1009 - Provide a minimalistic shell for supporting WinSCP + SCP mode. +- Changes in version 2.5.1 + * Behavioral changes and enhancements + + SSHD-1022 NPE in SftpOutputStreamAsync#flush() if no data + written in between. +- Changes in version 2.6.0 + * Major code re-factoring + + SshServerMain uses by default an ECDSA key instead of an RSA + one. This can be overridden either by -key-type / -key-size or + -key-file command line option. + + SSHD-1034 Rename org.apache.sshd.common.ForwardingFilter to + Forwarder. + + SSHD-1035 Move property definitions to common locations. + + SSHD-1038 Refactor packages from a module into a cleaner + hierarchy. + + SSHD-1080 Rework the PacketWriter to split according to the + various semantics + + SSHD-1084 Revert the usage of asynchronous streams when + forwarding ports. + * Minor code helpers + + SSHD-1004 Using a more constant time MAC validation to + minimize timing side channel information leak. + + SSHD-1030 Added a NoneFileSystemFactory implementation + + SSHD-1042 Added more callbacks to SftpEventListener + + SSHD-1040 Make server key available after KEX completed. + + SSHD-1060 Do not store logger level in fields. + + SSHD-1064 Fixed ClientSession#executeRemoteCommand handling + of STDERR in case of exception to behave according to its + documentation + + SSHD-1076 Break down ClientUserAuthService#auth method into + several to allow for flexible override + + SSHD-1077 Added command line option to request specific SFTP + version in SftpCommandMain + + SSHD-1079 Experimental async mode on the local port forwarder + + SSHD-1086 Added SFTP aware directory scanning helper classes + + SSHD-1089 Added wrappers for one-time single session usage of + SFTP/SCP clients + + Propagate SCP file transfer ACK data to ScpTransferListener + before validating it. + * Behavioral changes and enhancements + + SSHD-506 Added support for AES-GCM ciphers. + + SSHD-954 Improve validation of DH public key values. + + SSHD-1004 Deprecate DES, RC4 and Blowfish ciphers from default + setup. + + SSHD-1004 Deprecate SHA-1 based key exchanges and signatures + from default setup. + + SSHD-1004 Deprecate MD5-based and truncated HMAC algorithms + from default setup. + + SSHD-1005 Added support for SCP remote-to-remote file transfer + + SSHD-1020 SSH connections getting closed abruptly with timeout + exceptions. + + SSHD-1026 Improve build reproductibility. + + SSHD-1028 Fix SSH_MSG_DISCONNECT: Too many concurrent + connections. + + SSHD-1032 Fix possible ArrayIndexOutOfBoundsException in + ChannelAsyncOutputStream. + + SSHD-1033 Fix simultaneous usage of dynamic and local port + forwarding. + + SSHD-1039 Fix support for some basic options in ssh/sshd cli. + + SSHD-1047 Support for SSH jumps. + + SSHD-1048 Wrap instead of rethrow IOException in Future. + + SSHD-1050 Fixed race condition in AuthFuture if exception + caught before authentication started. + + SSHD-1053 Fixed handling of certified keys authentication. + + SSHD-1056 Added support for SCP remote-to-remote directory + transfer - including '-3' option of SCP command CLI. + + SSHD-1057 Added capability to select a ShellFactory based on + the current session + use it for "WinSCP" + + SSHD-1058 Improve exception logging strategy. + + SSHD-1059 Do not send heartbeat if KEX state not DONE + + SSHD-1063 Fixed known-hosts file server key verifier matching + of same host with different ports + + SSHD-1066 Allow multiple binding to local port tunnel on + different addresses + + SSHD-1070 OutOfMemoryError when use async port forwarding + + SSHD-1100 Updated used moduli for DH group KEX + + SSHD-1102 Provide filter support for SftpDirectoryStream + + SSHD-1104 Take into account possible key type aliases when + using public key authentication + + SSHD-1107 Allow configuration of minimum DH group exchange key + size via property or programmatically + + SSHD-1108 Increased minimum default DH group exchange key size + to 2048 (but support 1024) +- Changes in version 2.7.0 + * Major code re-factoring + + SSHD-1133 Re-factored locations and names of ServerSession and + server-side ChannelSession related classes + + Moved some helper methods and classes to more natural + locations + * Minor code helpers + + SSHD-525 Added support for "posix-rename@openssh.com" SFTP + extension + + SSHD-1083 Relaxed required Nio2Connector/Acceptor required + constructor arguments + + SSHD-1085 Added CliLogger + more verbosity on SshClientMain + + SSHD-1109 Route tests JUL logging via SLF4JBridgeHandler + + SSHD-1109 Provide full slf4j logger capabilities to CliLogger + and use it in all CLI classes + + SSHD-1110 Replace Class#newInstance() calls with + Class#getDefaultConstructor().newInstance() + + SSHD-1111 Fixed SshClientCliSupport compression option + detection + + SSHD-1116 Provide SessionContext argument to + HostKeyIdentityProvider#loadHostKeys + + SSHD-1116 Provide SessionContext argument to + PasswordIdentityProvider#loadPasswords + + SSHD-1116 Provide SessionContext argument to + AuthenticationIdentitiesProvider#loadIdentities + + SSHD-1125 Added option to require immediate close of channel + in command ExitCallback invocation + + SSHD-1127 Consolidated SftpSubsystem support implementations + into SftpSubsystemConfigurator + + SSHD-1148 Generate a unique thread name for each SftpSubsystem + instance + * Behavioral changes and enhancements + + SSHD-1085 Added more notifications related to channel state + change for detecting channel closing or closed earlier. + + SSHD-1091 Renamed sshd-contrib top-level package in order to + align naming convention. + + SSHD-1097 Added more SessionListener callbacks related to the + initial version and key exchange + + SSHD-1097 Added more capability to send peer identification + via ReservedSessionMessagesHandler + + SSHD-1097 Implemented endless tarpit example in sshd-contrib + + SSHD-1109 Replace log4j with logback as the slf4j logger + implementation for tests + + SSHD-1114 Added callbacks for client-side password + authentication progress + + SSHD-1114 Added callbacks for client-side public key + authentication progress + + SSHD-1114 Added callbacks for client-side host-based + authentication progress + + SSHD-1114 Added capability for interactive password + authentication participation via UserInteraction + + SSHD-1114 Added capability for interactive key based + authentication participation via UserInteraction + + SSHD-1123 Add option to chunk data in ChannelAsyncOutputStream + if window size is smaller than packet size + + SSHD-1125 Added mechanism to throttle pending write requests + in BufferedIoOutputStream + + SSHD-1127 Added capability to register a custom receiver for + SFTP STDERR channel raw or stream data + + SSHD-1132 Added SFTP client-side support for + 'filename-charset' extension + + SSHD-1132 Added SFTP client-side support for + 'filename-translation-control' extension + + SSHD-1132 Added SFTP servder-side support for non-UTF8 + encoding of returned file names + + SSHD-1133 Added capability to specify a custom charset for + parsing incoming commands to the ScpShell + + SSHD-1133 Added capability to specify a custom charset for + returning environment variables related data from the ScpShell + + SSHD-1133 Added capability to specify a custom charset for + handling the SCP protocol textual commands and responses + + SSHD-1136 Use configuration property to decide whether to + allow fallback to DH group exchange using SHA-1 if no suitable + primes found for SHA-256 + + SSHD-1137 Added capability to override LinkOption(s) when + accessing a file/folder via SFTP + + SSHD-1147 SftpInputStreamAsync: get file size before SSH_FXP_OPEN +- Modified patches: + * 0001-Avoid-optional-dependency-on-native-tomcat-APR-libra.patch + * apache-sshd-2.4.0-java8.patch -> apache-sshd-2.7.0-java8.patch + + rediff to changed context +- Added patch: + * 0002-Fix-manifest-generation.patch + + do not import self + +------------------------------------------------------------------- +Thu Jul 16 21:58:44 UTC 2020 - Fridrich Strba + +- Added patch: + * apache-sshd-2.4.0-java8.patch + + restore Java 8 compatibility of bytecode generated by Java 9+ + +------------------------------------------------------------------- +Mon Jun 29 11:32:37 UTC 2020 - Fridrich Strba + +- Initial packaging of apache-sshd 2.4.0 diff --git a/apache-sshd.spec b/apache-sshd.spec new file mode 100644 index 0000000..7c236a2 --- /dev/null +++ b/apache-sshd.spec @@ -0,0 +1,125 @@ +# +# spec file for package apache-sshd +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: apache-sshd +Version: 2.12.0 +Release: 0 +Summary: Apache SSHD +# One file has ISC licensing: +# sshd-common/src/main/java/org/apache/sshd/common/config/keys/loader/openssh/kdf/BCrypt.java +License: Apache-2.0 AND ISC +Group: Development/Libraries/Java +URL: https://mina.apache.org/sshd-project +Source0: https://archive.apache.org/dist/mina/sshd/%{version}/apache-sshd-%{version}-src.tar.gz +# Avoid optional dep on tomcat native APR library +Patch0: 0001-Avoid-optional-dependency-on-native-tomcat-APR-libra.patch +Patch1: apache-sshd-javadoc.patch +BuildRequires: fdupes +BuildRequires: maven-local +BuildRequires: mvn(junit:junit) +BuildRequires: mvn(net.i2p.crypto:eddsa) +BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) +BuildRequires: mvn(org.apache.maven.plugins:maven-clean-plugin) +BuildRequires: mvn(org.apache.maven.plugins:maven-dependency-plugin) +BuildRequires: mvn(org.apache.maven.plugins:maven-remote-resources-plugin) +BuildRequires: mvn(org.apache.maven.surefire:surefire-junit47) +BuildRequires: mvn(org.apache.maven:maven-archiver) +BuildRequires: mvn(org.apache:apache-jar-resource-bundle) +BuildRequires: mvn(org.apache:apache:pom:) >= 30 +BuildRequires: mvn(org.bouncycastle:bcpg-jdk18on) +BuildRequires: mvn(org.bouncycastle:bcpkix-jdk18on) +BuildRequires: mvn(org.codehaus.mojo:build-helper-maven-plugin) +BuildRequires: mvn(org.codehaus.plexus:plexus-archiver) +BuildRequires: mvn(org.slf4j:jcl-over-slf4j) +BuildRequires: mvn(org.slf4j:slf4j-api) +BuildArch: noarch + +%description +Apache SSHD is a 100% pure java library to support the SSH protocols on both +the client and server side. + +%package javadoc +Summary: API documentation for %{name} + +%description javadoc +This package provides %{name}. + +%prep +%setup -q + +# Avoid optional dep on tomcat native APR library +%patch -P 0 -p1 +%patch -P 1 -p1 + +rm -rf sshd-core/src/main/java/org/apache/sshd/agent/unix +%pom_remove_dep -r tomcat:tomcat-apr + +# Avoid unnecessary dep on spring framework +%pom_remove_dep :spring-framework-bom +%pom_remove_dep :testcontainers-bom sshd-sftp sshd-core + +# Build the core modules only +%pom_disable_module sshd-mina +%pom_remove_dep -r org.apache.sshd:sshd-mina +%pom_disable_module sshd-netty +%pom_disable_module sshd-ldap +%pom_disable_module sshd-git +%pom_disable_module sshd-contrib +%pom_disable_module sshd-spring-sftp +%pom_remove_dep -r org.apache.sshd:sshd-spring-sftp +%pom_disable_module sshd-cli +%pom_disable_module sshd-openpgp +%pom_disable_module assembly +# don't require bom that we don't package +%pom_remove_dep org.testcontainers:testcontainers-bom sshd-scp + +# Disable plugins we don't need for RPM builds +%pom_remove_plugin :apache-rat-plugin +%pom_remove_plugin :gmavenplus-plugin +%pom_remove_plugin :maven-checkstyle-plugin +%pom_remove_plugin :maven-enforcer-plugin +%pom_remove_plugin :maven-pmd-plugin +%pom_remove_plugin :animal-sniffer-maven-plugin +%pom_remove_plugin :impsort-maven-plugin +%pom_remove_plugin :formatter-maven-plugin . sshd-core + +# Suppress generation of uses clauses +%pom_xpath_inject "pom:configuration/pom:instructions" "<_nouses>true" . + +%pom_remove_plugin :maven-antrun-plugin sshd-osgi + +%build +# Can't run tests, they require ch.ethz.ganymed:ganymed-ssh2 +%{mvn_build} -f -- -Dworkspace.root.dir=$(pwd) \ +%if %{?pkg_vcmp:%pkg_vcmp java-devel >= 9}%{!?pkg_vcmp:0} + -Dmaven.compiler.release=8 \ +%endif + -Dsource=8 + +%install +%mvn_install +%fdupes -s %{buildroot}%{_javadocdir} + +%files -f .mfiles +%doc CHANGES.md +%license LICENSE.txt NOTICE.txt assembly/src/main/legal/licenses/jbcrypt.txt + +%files javadoc -f .mfiles-javadoc +%license LICENSE.txt NOTICE.txt assembly/src/main/legal/licenses/jbcrypt.txt + +%changelog From f344c10bf991e30d7ad5ff7ad2dfc61e9f43bba6eba492e3a1c1cdd33310e286 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Wed, 21 Feb 2024 21:52:22 +0000 Subject: [PATCH 02/14] OBS-URL: https://build.opensuse.org/package/show/Java:packages/apache-sshd?expand=0&rev=28 --- apache-sshd.changes | 5 ----- 1 file changed, 5 deletions(-) diff --git a/apache-sshd.changes b/apache-sshd.changes index 69a297d..a410e97 100644 --- a/apache-sshd.changes +++ b/apache-sshd.changes @@ -1,8 +1,3 @@ -------------------------------------------------------------------- -Wed Feb 21 08:15:48 UTC 2024 - Gus Kenion - -- Use %patch -P N instead of deprecated %patchN. - ------------------------------------------------------------------- Tue Feb 20 11:07:06 UTC 2024 - Dominique Leuenberger From fb80b1600bac9889847db7ae6c0bef033b085090d51297d6858ad41542dcdd42 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Wed, 9 Oct 2024 22:37:21 +0000 Subject: [PATCH 03/14] OBS-URL: https://build.opensuse.org/package/show/Java:packages/apache-sshd?expand=0&rev=29 --- apache-sshd.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/apache-sshd.spec b/apache-sshd.spec index 7c236a2..ea0947a 100644 --- a/apache-sshd.spec +++ b/apache-sshd.spec @@ -43,8 +43,12 @@ BuildRequires: mvn(org.apache:apache-jar-resource-bundle) BuildRequires: mvn(org.apache:apache:pom:) >= 30 BuildRequires: mvn(org.bouncycastle:bcpg-jdk18on) BuildRequires: mvn(org.bouncycastle:bcpkix-jdk18on) +BuildRequires: mvn(org.bouncycastle:bcprov-jdk18on) +BuildRequires: mvn(org.bouncycastle:bcutil-jdk18on) BuildRequires: mvn(org.codehaus.mojo:build-helper-maven-plugin) BuildRequires: mvn(org.codehaus.plexus:plexus-archiver) +BuildRequires: mvn(org.eclipse.jgit:org.eclipse.jgit) +BuildRequires: mvn(org.eclipse.jgit:org.eclipse.jgit.pgm) BuildRequires: mvn(org.slf4j:jcl-over-slf4j) BuildRequires: mvn(org.slf4j:slf4j-api) BuildArch: noarch @@ -78,7 +82,6 @@ rm -rf sshd-core/src/main/java/org/apache/sshd/agent/unix %pom_remove_dep -r org.apache.sshd:sshd-mina %pom_disable_module sshd-netty %pom_disable_module sshd-ldap -%pom_disable_module sshd-git %pom_disable_module sshd-contrib %pom_disable_module sshd-spring-sftp %pom_remove_dep -r org.apache.sshd:sshd-spring-sftp From 46d7b3274ed9956828959710d1d05f8e26004129f1b2d1d2ad774b349ff0a245 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Wed, 9 Oct 2024 22:38:39 +0000 Subject: [PATCH 04/14] OBS-URL: https://build.opensuse.org/package/show/Java:packages/apache-sshd?expand=0&rev=30 --- apache-sshd.spec | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/apache-sshd.spec b/apache-sshd.spec index ea0947a..7c236a2 100644 --- a/apache-sshd.spec +++ b/apache-sshd.spec @@ -43,12 +43,8 @@ BuildRequires: mvn(org.apache:apache-jar-resource-bundle) BuildRequires: mvn(org.apache:apache:pom:) >= 30 BuildRequires: mvn(org.bouncycastle:bcpg-jdk18on) BuildRequires: mvn(org.bouncycastle:bcpkix-jdk18on) -BuildRequires: mvn(org.bouncycastle:bcprov-jdk18on) -BuildRequires: mvn(org.bouncycastle:bcutil-jdk18on) BuildRequires: mvn(org.codehaus.mojo:build-helper-maven-plugin) BuildRequires: mvn(org.codehaus.plexus:plexus-archiver) -BuildRequires: mvn(org.eclipse.jgit:org.eclipse.jgit) -BuildRequires: mvn(org.eclipse.jgit:org.eclipse.jgit.pgm) BuildRequires: mvn(org.slf4j:jcl-over-slf4j) BuildRequires: mvn(org.slf4j:slf4j-api) BuildArch: noarch @@ -82,6 +78,7 @@ rm -rf sshd-core/src/main/java/org/apache/sshd/agent/unix %pom_remove_dep -r org.apache.sshd:sshd-mina %pom_disable_module sshd-netty %pom_disable_module sshd-ldap +%pom_disable_module sshd-git %pom_disable_module sshd-contrib %pom_disable_module sshd-spring-sftp %pom_remove_dep -r org.apache.sshd:sshd-spring-sftp From 8a7ef35208347c03855fa486c2e4063f81737a366861c9964652fe31da388d8a Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Wed, 9 Oct 2024 23:58:07 +0000 Subject: [PATCH 05/14] OBS-URL: https://build.opensuse.org/package/show/Java:packages/apache-sshd?expand=0&rev=31 --- _multibuild | 3 +++ apache-sshd.spec | 64 +++++++++++++++++++++++++++++++++++++++--------- 2 files changed, 55 insertions(+), 12 deletions(-) create mode 100644 _multibuild diff --git a/_multibuild b/_multibuild new file mode 100644 index 0000000..cac8c31 --- /dev/null +++ b/_multibuild @@ -0,0 +1,3 @@ + + extras + diff --git a/apache-sshd.spec b/apache-sshd.spec index 7c236a2..b7b7622 100644 --- a/apache-sshd.spec +++ b/apache-sshd.spec @@ -16,7 +16,11 @@ # -Name: apache-sshd +%if "%{flavor}" == "extras" +%bcond_without extras +%else +%bcond_with extras +%endif Version: 2.12.0 Release: 0 Summary: Apache SSHD @@ -34,8 +38,6 @@ BuildRequires: maven-local BuildRequires: mvn(junit:junit) BuildRequires: mvn(net.i2p.crypto:eddsa) BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) -BuildRequires: mvn(org.apache.maven.plugins:maven-clean-plugin) -BuildRequires: mvn(org.apache.maven.plugins:maven-dependency-plugin) BuildRequires: mvn(org.apache.maven.plugins:maven-remote-resources-plugin) BuildRequires: mvn(org.apache.maven.surefire:surefire-junit47) BuildRequires: mvn(org.apache.maven:maven-archiver) @@ -43,11 +45,33 @@ BuildRequires: mvn(org.apache:apache-jar-resource-bundle) BuildRequires: mvn(org.apache:apache:pom:) >= 30 BuildRequires: mvn(org.bouncycastle:bcpg-jdk18on) BuildRequires: mvn(org.bouncycastle:bcpkix-jdk18on) -BuildRequires: mvn(org.codehaus.mojo:build-helper-maven-plugin) -BuildRequires: mvn(org.codehaus.plexus:plexus-archiver) BuildRequires: mvn(org.slf4j:jcl-over-slf4j) BuildRequires: mvn(org.slf4j:slf4j-api) BuildArch: noarch +%if %{with extras} +Name: apache-sshd-extras +BuildRequires: mvn(io.netty:netty-bom:pom:) +BuildRequires: mvn(io.netty:netty-handler) +BuildRequires: mvn(io.netty:netty-transport) +BuildRequires: mvn(org.apache.maven.plugins:maven-assembly-plugin) +BuildRequires: mvn(org.apache.sshd:sshd-common) +BuildRequires: mvn(org.apache.sshd:sshd-core) +BuildRequires: mvn(org.apache.sshd:sshd-putty) +BuildRequires: mvn(org.apache.sshd:sshd-scp) +BuildRequires: mvn(org.apache.sshd:sshd-sftp) +BuildRequires: mvn(org.assertj:assertj-core) +BuildRequires: mvn(org.bouncycastle:bcprov-jdk18on) +BuildRequires: mvn(org.bouncycastle:bcutil-jdk18on) +BuildRequires: mvn(org.codehaus.plexus:plexus-archiver) +BuildRequires: mvn(org.eclipse.jgit:org.eclipse.jgit) +BuildRequires: mvn(org.eclipse.jgit:org.eclipse.jgit.pgm) +BuildRequires: mvn(org.slf4j:slf4j-jdk14) +%else +Name: apache-sshd +BuildRequires: mvn(org.apache.maven.plugins:maven-dependency-plugin) +BuildRequires: mvn(org.codehaus.mojo:build-helper-maven-plugin) +BuildRequires: mvn(org.codehaus.plexus:plexus-archiver) +%endif %description Apache SSHD is a 100% pure java library to support the SSH protocols on both @@ -60,7 +84,7 @@ Summary: API documentation for %{name} This package provides %{name}. %prep -%setup -q +%setup -q -n apache-sshd-%{version} # Avoid optional dep on tomcat native APR library %patch -P 0 -p1 @@ -73,20 +97,31 @@ rm -rf sshd-core/src/main/java/org/apache/sshd/agent/unix %pom_remove_dep :spring-framework-bom %pom_remove_dep :testcontainers-bom sshd-sftp sshd-core -# Build the core modules only +# We don't have dependencies for these modules %pom_disable_module sshd-mina %pom_remove_dep -r org.apache.sshd:sshd-mina +%pom_disable_module sshd-spring-sftp +%pom_remove_dep -r org.apache.sshd:sshd-spring-sftp +%pom_disable_module sshd-openpgp +%pom_remove_dep -r org.apache.sshd:sshd-openpgp +# don't require bom that we don't package +%pom_remove_dep org.testcontainers:testcontainers-bom sshd-scp + +%if %{with extras} +%pom_disable_module sshd-common +%pom_disable_module sshd-core +%pom_disable_module sshd-osgi +%pom_disable_module sshd-putty +%pom_disable_module sshd-scp +%pom_disable_module sshd-sftp +%else %pom_disable_module sshd-netty %pom_disable_module sshd-ldap %pom_disable_module sshd-git %pom_disable_module sshd-contrib -%pom_disable_module sshd-spring-sftp -%pom_remove_dep -r org.apache.sshd:sshd-spring-sftp %pom_disable_module sshd-cli -%pom_disable_module sshd-openpgp %pom_disable_module assembly -# don't require bom that we don't package -%pom_remove_dep org.testcontainers:testcontainers-bom sshd-scp +%endif # Disable plugins we don't need for RPM builds %pom_remove_plugin :apache-rat-plugin @@ -96,6 +131,7 @@ rm -rf sshd-core/src/main/java/org/apache/sshd/agent/unix %pom_remove_plugin :maven-pmd-plugin %pom_remove_plugin :animal-sniffer-maven-plugin %pom_remove_plugin :impsort-maven-plugin +%pom_remove_plugin :maven-clean-plugin %pom_remove_plugin :formatter-maven-plugin . sshd-core # Suppress generation of uses clauses @@ -103,6 +139,10 @@ rm -rf sshd-core/src/main/java/org/apache/sshd/agent/unix %pom_remove_plugin :maven-antrun-plugin sshd-osgi +%{mvn_file} :{*} apache-sshd/@1 + +%{mvn_package} :apache-sshd __noinstall + %build # Can't run tests, they require ch.ethz.ganymed:ganymed-ssh2 %{mvn_build} -f -- -Dworkspace.root.dir=$(pwd) \ From 2c7df3021b27863d8d793b1b4ac6dc1f5e23b3f4e549b34dfc41c94996536f17 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Wed, 9 Oct 2024 23:59:36 +0000 Subject: [PATCH 06/14] OBS-URL: https://build.opensuse.org/package/show/Java:packages/apache-sshd?expand=0&rev=32 --- apache-sshd.spec | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/apache-sshd.spec b/apache-sshd.spec index b7b7622..563deb9 100644 --- a/apache-sshd.spec +++ b/apache-sshd.spec @@ -54,11 +54,11 @@ BuildRequires: mvn(io.netty:netty-bom:pom:) BuildRequires: mvn(io.netty:netty-handler) BuildRequires: mvn(io.netty:netty-transport) BuildRequires: mvn(org.apache.maven.plugins:maven-assembly-plugin) -BuildRequires: mvn(org.apache.sshd:sshd-common) -BuildRequires: mvn(org.apache.sshd:sshd-core) -BuildRequires: mvn(org.apache.sshd:sshd-putty) -BuildRequires: mvn(org.apache.sshd:sshd-scp) -BuildRequires: mvn(org.apache.sshd:sshd-sftp) +BuildRequires: mvn(org.apache.sshd:sshd-common) = %{version} +BuildRequires: mvn(org.apache.sshd:sshd-core) = %{version} +BuildRequires: mvn(org.apache.sshd:sshd-putty) = %{version} +BuildRequires: mvn(org.apache.sshd:sshd-scp) = %{version} +BuildRequires: mvn(org.apache.sshd:sshd-sftp) = %{version} BuildRequires: mvn(org.assertj:assertj-core) BuildRequires: mvn(org.bouncycastle:bcprov-jdk18on) BuildRequires: mvn(org.bouncycastle:bcutil-jdk18on) From f179492393d0dda8da38478ed977c438a84ff80d017626c8fee746568fea65ae Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Thu, 10 Oct 2024 00:22:43 +0000 Subject: [PATCH 07/14] OBS-URL: https://build.opensuse.org/package/show/Java:packages/apache-sshd?expand=0&rev=33 --- apache-sshd.spec | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apache-sshd.spec b/apache-sshd.spec index 563deb9..b965ea8 100644 --- a/apache-sshd.spec +++ b/apache-sshd.spec @@ -16,6 +16,7 @@ # +%global flavor @BUILD_FLAVOR@%{nil} %if "%{flavor}" == "extras" %bcond_without extras %else @@ -49,8 +50,7 @@ BuildRequires: mvn(org.slf4j:jcl-over-slf4j) BuildRequires: mvn(org.slf4j:slf4j-api) BuildArch: noarch %if %{with extras} -Name: apache-sshd-extras -BuildRequires: mvn(io.netty:netty-bom:pom:) +Name: apache-sshd-%{flavor} BuildRequires: mvn(io.netty:netty-handler) BuildRequires: mvn(io.netty:netty-transport) BuildRequires: mvn(org.apache.maven.plugins:maven-assembly-plugin) @@ -106,6 +106,7 @@ rm -rf sshd-core/src/main/java/org/apache/sshd/agent/unix %pom_remove_dep -r org.apache.sshd:sshd-openpgp # don't require bom that we don't package %pom_remove_dep org.testcontainers:testcontainers-bom sshd-scp +%pom_remove_dep :netty-bom sshd-netty %if %{with extras} %pom_disable_module sshd-common From a4c02a83df8a112bae5d0766de7d24e5d51ce461b13039dc50163d065b2453ec Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Thu, 17 Oct 2024 00:59:55 +0000 Subject: [PATCH 08/14] OBS-URL: https://build.opensuse.org/package/show/Java:packages/apache-sshd?expand=0&rev=34 --- apache-sshd.spec | 54 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/apache-sshd.spec b/apache-sshd.spec index b965ea8..40cb9c6 100644 --- a/apache-sshd.spec +++ b/apache-sshd.spec @@ -22,6 +22,7 @@ %else %bcond_with extras %endif +%global homedir %{_datadir}/apache-sshd Version: 2.12.0 Release: 0 Summary: Apache SSHD @@ -51,6 +52,7 @@ BuildRequires: mvn(org.slf4j:slf4j-api) BuildArch: noarch %if %{with extras} Name: apache-sshd-%{flavor} +BuildRequires: xmvn-subst BuildRequires: mvn(io.netty:netty-handler) BuildRequires: mvn(io.netty:netty-transport) BuildRequires: mvn(org.apache.maven.plugins:maven-assembly-plugin) @@ -77,6 +79,31 @@ BuildRequires: mvn(org.codehaus.plexus:plexus-archiver) Apache SSHD is a 100% pure java library to support the SSH protocols on both the client and server side. +%if %{with extras} +%package -n apache-sshd-standalone +Summary: Standalone installation of apache-sshd +Requires: apache-sshd +Requires: apache-sshd-extras +Requires: assertj-core +Requires: bouncycastle +Requires: bouncycastle-pg +Requires: bouncycastle-pkix +Requires: bouncycastle-util +Requires: byte-buddy +Requires: ed25519-java +Requires: javaewah +Requires: jcl-over-slf4j +Requires: jctools +Requires: jgit +Requires: netty +Requires: objectweb-asm +Requires: slf4j +Requires: slf4j-jdk14 + +%description -n apache-sshd-standalone +This package provides standalone installation of apache-sshd +%endif + %package javadoc Summary: API documentation for %{name} @@ -135,6 +162,11 @@ rm -rf sshd-core/src/main/java/org/apache/sshd/agent/unix %pom_remove_plugin :maven-clean-plugin %pom_remove_plugin :formatter-maven-plugin . sshd-core +# We only need the unix-bin execution +%pom_xpath_remove "pom:executions/pom:execution[pom:id[text()='unix-src']]" assembly +%pom_xpath_remove "pom:executions/pom:execution[pom:id[text()='windows-bin']]" assembly +%pom_xpath_remove "pom:executions/pom:execution[pom:id[text()='windows-src']]" assembly + # Suppress generation of uses clauses %pom_xpath_inject "pom:configuration/pom:instructions" "<_nouses>true" . @@ -152,14 +184,36 @@ rm -rf sshd-core/src/main/java/org/apache/sshd/agent/unix %endif -Dsource=8 +%if %{with extras} +mkdir sshd_home +(cd sshd_home + tar --delay-directory-restore -xvf \ + ../assembly/target/apache-sshd-%{version}.tar.gz +) +%endif + %install %mvn_install %fdupes -s %{buildroot}%{_javadocdir} +%if %{with extras} +export SSHD_HOME=$(pwd)/sshd_home/apache-sshd-%{version} +rm $SSHD_HOME/bin/*.bat + +install -d -m 0755 %{buildroot}%{homedir} +cp -a $SSHD_HOME/{bin,dependencies,extras,lib} %{buildroot}%{homedir}/ +xmvn-subst -s -R %{buildroot} -s %{buildroot}%{homedir} +%endif + %files -f .mfiles %doc CHANGES.md %license LICENSE.txt NOTICE.txt assembly/src/main/legal/licenses/jbcrypt.txt +%if %{with extras} +%files -n apache-sshd-standalone +%{homedir} +%endif + %files javadoc -f .mfiles-javadoc %license LICENSE.txt NOTICE.txt assembly/src/main/legal/licenses/jbcrypt.txt From 63439894f75421631a7e26d5c2e39eb54eb3d45e573f93e2081392a8b789c3f2 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Thu, 17 Oct 2024 01:01:28 +0000 Subject: [PATCH 09/14] OBS-URL: https://build.opensuse.org/package/show/Java:packages/apache-sshd?expand=0&rev=35 --- apache-sshd.changes | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/apache-sshd.changes b/apache-sshd.changes index a410e97..5c21dde 100644 --- a/apache-sshd.changes +++ b/apache-sshd.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Oct 17 01:00:02 UTC 2024 - Fridrich Strba + +- Add an "extras" flavour to build without cycles all modules we + can +- Build also a standalone apache-sshd application + ------------------------------------------------------------------- Tue Feb 20 11:07:06 UTC 2024 - Dominique Leuenberger From 0182ea1cc60b8c6c2cad737abef7d2cafca38d50540ca294bc4c4509a8b95938 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Thu, 17 Oct 2024 09:28:57 +0000 Subject: [PATCH 10/14] OBS-URL: https://build.opensuse.org/package/show/Java:packages/apache-sshd?expand=0&rev=36 --- ...ependency-on-native-tomcat-APR-libra.patch | 105 ------------------ apache-sshd.spec | 19 ++-- file-name-mapping.patch | 27 +++++ password-no-echo.patch | 33 ++++++ 4 files changed, 71 insertions(+), 113 deletions(-) delete mode 100644 0001-Avoid-optional-dependency-on-native-tomcat-APR-libra.patch create mode 100644 file-name-mapping.patch create mode 100644 password-no-echo.patch diff --git a/0001-Avoid-optional-dependency-on-native-tomcat-APR-libra.patch b/0001-Avoid-optional-dependency-on-native-tomcat-APR-libra.patch deleted file mode 100644 index bcb8b0c..0000000 --- a/0001-Avoid-optional-dependency-on-native-tomcat-APR-libra.patch +++ /dev/null @@ -1,105 +0,0 @@ -From accd3e006a05615cf6eed9369d91fbedcc4eab16 Mon Sep 17 00:00:00 2001 -From: Mat Booth -Date: Thu, 7 Mar 2019 11:27:55 +0000 -Subject: [PATCH] Avoid optional dependency on native tomcat APR library - ---- - pom.xml | 5 ----- - sshd-core/pom.xml | 6 ------ - .../sshd/agent/local/ProxyAgentFactory.java | 16 +--------------- - sshd-osgi/pom.xml | 6 ------ - 4 files changed, 1 insertion(+), 32 deletions(-) - -diff --git a/pom.xml b/pom.xml -index 867ca88..7c29678 100644 ---- a/pom.xml -+++ b/pom.xml -@@ -434,11 +434,6 @@ - mina-core - 2.0.23 - -- -- tomcat -- tomcat-apr -- 5.5.23 -- - - - net.i2p.crypto -diff --git a/sshd-core/pom.xml b/sshd-core/pom.xml -index 6171c5c..73a43a7 100644 ---- a/sshd-core/pom.xml -+++ b/sshd-core/pom.xml -@@ -43,12 +43,6 @@ - - - -- tomcat -- tomcat-apr -- true -- -- -- - org.bouncycastle - bcpg-jdk18on - true -diff --git a/sshd-core/src/main/java/org/apache/sshd/agent/local/ProxyAgentFactory.java b/sshd-core/src/main/java/org/apache/sshd/agent/local/ProxyAgentFactory.java -index ab19539..5757e68 100644 ---- a/sshd-core/src/main/java/org/apache/sshd/agent/local/ProxyAgentFactory.java -+++ b/sshd-core/src/main/java/org/apache/sshd/agent/local/ProxyAgentFactory.java -@@ -27,8 +27,6 @@ import java.util.concurrent.atomic.AtomicBoolean; - import org.apache.sshd.agent.SshAgent; - import org.apache.sshd.agent.SshAgentFactory; - import org.apache.sshd.agent.SshAgentServer; --import org.apache.sshd.agent.unix.AprLibrary; --import org.apache.sshd.agent.unix.UnixAgentFactory; - import org.apache.sshd.common.FactoryManager; - import org.apache.sshd.common.PropertyResolver; - import org.apache.sshd.common.channel.ChannelFactory; -@@ -51,9 +49,7 @@ public class ProxyAgentFactory implements SshAgentFactory { - - @Override - public List getChannelForwardingFactories(FactoryManager manager) { -- return isPreferredUnixAgent(manager) -- ? UnixAgentFactory.DEFAULT_FORWARDING_CHANNELS -- : LocalAgentFactory.DEFAULT_FORWARDING_CHANNELS; -+ return LocalAgentFactory.DEFAULT_FORWARDING_CHANNELS; - } - - @Override -@@ -104,16 +100,6 @@ public class ProxyAgentFactory implements SshAgentFactory { - } - - public static boolean isPreferredUnixAgent(PropertyResolver resolver) { -- if (CoreModuleProperties.PREFER_UNIX_AGENT.getRequired(resolver)) { -- try { -- if (AprLibrary.getInstance() != null) { -- return true; -- } -- } catch (Exception ignore) { -- // ignored -- } -- } -- - return false; - } - } -diff --git a/sshd-osgi/pom.xml b/sshd-osgi/pom.xml -index 5395ceb..f456263 100644 ---- a/sshd-osgi/pom.xml -+++ b/sshd-osgi/pom.xml -@@ -81,12 +81,6 @@ - true - provided - -- -- tomcat -- tomcat-apr -- true -- provided -- - - - --- -2.20.1 diff --git a/apache-sshd.spec b/apache-sshd.spec index 40cb9c6..0924bb9 100644 --- a/apache-sshd.spec +++ b/apache-sshd.spec @@ -32,9 +32,9 @@ License: Apache-2.0 AND ISC Group: Development/Libraries/Java URL: https://mina.apache.org/sshd-project Source0: https://archive.apache.org/dist/mina/sshd/%{version}/apache-sshd-%{version}-src.tar.gz -# Avoid optional dep on tomcat native APR library -Patch0: 0001-Avoid-optional-dependency-on-native-tomcat-APR-libra.patch -Patch1: apache-sshd-javadoc.patch +Patch0: apache-sshd-javadoc.patch +Patch1: file-name-mapping.patch +Patch2: password-no-echo.patch BuildRequires: fdupes BuildRequires: maven-local BuildRequires: mvn(junit:junit) @@ -43,6 +43,7 @@ BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) BuildRequires: mvn(org.apache.maven.plugins:maven-remote-resources-plugin) BuildRequires: mvn(org.apache.maven.surefire:surefire-junit47) BuildRequires: mvn(org.apache.maven:maven-archiver) +BuildRequires: mvn(org.apache.tomcat:tomcat-jni) BuildRequires: mvn(org.apache:apache-jar-resource-bundle) BuildRequires: mvn(org.apache:apache:pom:) >= 30 BuildRequires: mvn(org.bouncycastle:bcpg-jdk18on) @@ -64,6 +65,7 @@ BuildRequires: mvn(org.apache.sshd:sshd-sftp) = %{version} BuildRequires: mvn(org.assertj:assertj-core) BuildRequires: mvn(org.bouncycastle:bcprov-jdk18on) BuildRequires: mvn(org.bouncycastle:bcutil-jdk18on) +BuildRequires: mvn(org.c02e.jpgpj:jpgpj) BuildRequires: mvn(org.codehaus.plexus:plexus-archiver) BuildRequires: mvn(org.eclipse.jgit:org.eclipse.jgit) BuildRequires: mvn(org.eclipse.jgit:org.eclipse.jgit.pgm) @@ -95,10 +97,12 @@ Requires: javaewah Requires: jcl-over-slf4j Requires: jctools Requires: jgit +Requires: jpgpj Requires: netty Requires: objectweb-asm Requires: slf4j Requires: slf4j-jdk14 +Requires: tomcat-lib %description -n apache-sshd-standalone This package provides standalone installation of apache-sshd @@ -113,12 +117,11 @@ This package provides %{name}. %prep %setup -q -n apache-sshd-%{version} -# Avoid optional dep on tomcat native APR library %patch -P 0 -p1 %patch -P 1 -p1 +%patch -P 2 -p1 -rm -rf sshd-core/src/main/java/org/apache/sshd/agent/unix -%pom_remove_dep -r tomcat:tomcat-apr +%pom_change_dep -r tomcat:tomcat-apr org.apache.tomcat:tomcat-jni # Avoid unnecessary dep on spring framework %pom_remove_dep :spring-framework-bom @@ -129,8 +132,6 @@ rm -rf sshd-core/src/main/java/org/apache/sshd/agent/unix %pom_remove_dep -r org.apache.sshd:sshd-mina %pom_disable_module sshd-spring-sftp %pom_remove_dep -r org.apache.sshd:sshd-spring-sftp -%pom_disable_module sshd-openpgp -%pom_remove_dep -r org.apache.sshd:sshd-openpgp # don't require bom that we don't package %pom_remove_dep org.testcontainers:testcontainers-bom sshd-scp %pom_remove_dep :netty-bom sshd-netty @@ -148,6 +149,7 @@ rm -rf sshd-core/src/main/java/org/apache/sshd/agent/unix %pom_disable_module sshd-git %pom_disable_module sshd-contrib %pom_disable_module sshd-cli +%pom_disable_module sshd-openpgp %pom_disable_module assembly %endif @@ -174,6 +176,7 @@ rm -rf sshd-core/src/main/java/org/apache/sshd/agent/unix %{mvn_file} :{*} apache-sshd/@1 +%{mvn_package} :sshd __noinstall %{mvn_package} :apache-sshd __noinstall %build diff --git a/file-name-mapping.patch b/file-name-mapping.patch new file mode 100644 index 0000000..b654778 --- /dev/null +++ b/file-name-mapping.patch @@ -0,0 +1,27 @@ +--- apache-sshd-2.12.0/assembly/src/main/components/modules.xml 2024-10-17 09:52:06.438341043 +0200 ++++ apache-sshd-2.12.0/assembly/src/main/components/modules.xml 2024-10-17 10:04:38.853297583 +0200 +@@ -39,6 +39,7 @@ + + lib + false ++ ${artifact.groupId}-${artifact.artifactId}${dashClassifier?}.${artifact.extension} + + + +@@ -52,6 +53,7 @@ + + extras + false ++ ${artifact.groupId}-${artifact.artifactId}${dashClassifier?}.${artifact.extension} + + + +@@ -68,6 +70,7 @@ + + dependencies + false ++ ${artifact.groupId}-${artifact.artifactId}${dashClassifier?}.${artifact.extension} + + + +\ No newline at end of file diff --git a/password-no-echo.patch b/password-no-echo.patch new file mode 100644 index 0000000..72fb358 --- /dev/null +++ b/password-no-echo.patch @@ -0,0 +1,33 @@ +--- apache-sshd-2.12.0/sshd-cli/src/main/java/org/apache/sshd/cli/client/SshClientCliSupport.java 2024-10-17 09:52:06.441674383 +0200 ++++ apache-sshd-2.12.0/sshd-cli/src/main/java/org/apache/sshd/cli/client/SshClientCliSupport.java 2024-10-17 11:13:10.836164379 +0200 +@@ -19,6 +19,7 @@ + package org.apache.sshd.cli.client; + + import java.io.BufferedReader; ++import java.io.Console; + import java.io.IOException; + import java.io.OutputStream; + import java.io.PrintStream; +@@ -492,6 +493,11 @@ + throws Throwable { + client.setFilePasswordProvider((session, file, index) -> { + stdout.print("Enter password for private key file=" + file + ": "); ++ ++ Console cons = System.console(); ++ if (cons != null) { ++ return new String(cons.readPassword()); ++ } + return stdin.readLine(); + }); + +@@ -552,6 +558,10 @@ + public String getUpdatedPassword(ClientSession clientSession, String prompt, String lang) { + stdout.append(prompt).print(" "); + try { ++ Console cons = System.console(); ++ if (cons != null) { ++ return new String(cons.readPassword()); ++ } + return stdin.readLine(); + } catch (IOException e) { + stderr.append("WARNING: ").append(e.getClass().getSimpleName()) From 18f684f1c420b5d97ea15d73f63432ad28b632130984285ee00aecc884559159 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Thu, 17 Oct 2024 09:29:32 +0000 Subject: [PATCH 11/14] =?UTF-8?q?-=20Updated=20to=20upstrem=20version=202.?= =?UTF-8?q?14.0=20-=20Changes=20in=20version=202.14.0=20=20=20*=20Bug=20Fi?= =?UTF-8?q?xes=20=20=20=20=20+=20GH-524=20Performance=20improvements=20=20?= =?UTF-8?q?=20=20=20+=20GH-533=20Fix=20multi-step=20authentication=20=20?= =?UTF-8?q?=20=20=20+=20GH-582=20Fix=20filtering=20in=20NamedFactory=20=20?= =?UTF-8?q?=20=20=20+=20GH-587=20Prevent=20NullPointerExceptionon=20closed?= =?UTF-8?q?=20channel=20in=20=20=20=20=20=20=20NettyIoSession=20=20=20=20?= =?UTF-8?q?=20+=20GH-590=20Better=20support=20for=20FIPS=20=20=20=20=20+?= =?UTF-8?q?=20GH-597=20Pass=20on=20Charset=20in=20=20=20=20=20=20=20Client?= =?UTF-8?q?Session.executeRemoteCommand()=20=20=20*=20New=20Features=20=20?= =?UTF-8?q?=20=20=20+=20New=20utility=20methods=20SftpClient.put(Path=20lo?= =?UTF-8?q?calFile,=20String=20=20=20=20=20=20=20remoteFileName)=20and=20S?= =?UTF-8?q?ftpClient.put(InputStream=20in,=20String=20=20=20=20=20=20=20re?= =?UTF-8?q?moteFileName)=20facilitate=20SFTP=20file=20uploading.=20=20=20*?= =?UTF-8?q?=20GH-590=20Better=20support=20for=20FIPS=20=20=20=20=20Besides?= =?UTF-8?q?=20fixing=20a=20bug=20with=20bc-fips=20(the=20RandomGenerator?= =?UTF-8?q?=20class=20=20=20=20=20exists=20in=20normal=20Bouncy=20Castle,?= =?UTF-8?q?=20but=20not=20in=20the=20FIPS=20version,=20=20=20=20=20but=20A?= =?UTF-8?q?pache=20MINA=20sshd=20referenced=20it=20even=20if=20only=20bc-f?= =?UTF-8?q?ips=20was=20=20=20=20=20present),=20support=20was=20improved=20?= =?UTF-8?q?for=20running=20in=20an=20environment=20=20=20=20=20restricted?= =?UTF-8?q?=20by=20FIPS.=20=20=20=20=20There=20is=20a=20new=20system=20pro?= =?UTF-8?q?perty=20=20=20=20=20org.apache.sshd.security.fipsEnabled.=20If?= =?UTF-8?q?=20set=20to=20true,=20a=20number=20=20=20=20=20of=20crypto-algo?= =?UTF-8?q?rithms=20not=20approved=20by=20FIPS=20140=20are=20disabled:=20?= =?UTF-8?q?=20=20=20=20=20=20+=20key=20exchange=20methods=20sntrup761x2551?= =?UTF-8?q?9-sha512,=20=20=20=20=20=20=20=20=20sntrup761x25519-sha512@open?= =?UTF-8?q?ssh.com,=20curve25519-sha256,=20=20=20=20=20=20=20=20=20curve25?= =?UTF-8?q?519-sha256@libssh.org,=20curve448-sha512.=20=20=20=20=20=20=20+?= =?UTF-8?q?=20the=20chacha20-poly1305=20cipher.=20=20=20=20=20=20=20+=20th?= =?UTF-8?q?e=20bcrypt=20KDF=20used=20in=20encrypted=20private=20key=20file?= =?UTF-8?q?s=20in=20=20=20=20=20=20=20=20=20OpenSSH=20format.=20=20=20=20?= =?UTF-8?q?=20=20=20+=20all=20ed25519=20keys=20and=20signatures.=20=20=20?= =?UTF-8?q?=20=20Additionally,=20the=20new=20"SunJCEWrapper"=20SecurityPro?= =?UTF-8?q?viderRegistrar=20=20=20=20=20(see=20below)=20and=20the=20EdDSAS?= =?UTF-8?q?ecurityProviderRegistrar=20are=20=20=20=20=20disabled,=20and=20?= =?UTF-8?q?the=20BouncyCastleScurityProviderRegistrar=20looks=20=20=20=20?= =?UTF-8?q?=20only=20for=20the=20"BCFIPS"=20security=20provider,=20not=20f?= =?UTF-8?q?or=20the=20normal=20=20=20=20=20"BC"=20provider.=20=20=20=20=20?= =?UTF-8?q?If=20the=20system=20property=20is=20not=20set=20to=20true,=20FI?= =?UTF-8?q?PS=20mode=20can=20be=20=20=20=20=20enabled=20programmatically?= =?UTF-8?q?=20by=20calling=20SecurityUtils.setFipsMode()=20=20=20=20=20bef?= =?UTF-8?q?ore=20any=20other=20call=20to=20Apache=20MINA=20sshd.=20=20=20*?= =?UTF-8?q?=20Potential=20compatibility=20issues=20=20=20=20=20+=20New=20s?= =?UTF-8?q?ecurity=20provider=20registrar=20=20=20=20=20=20=20There=20is?= =?UTF-8?q?=20a=20new=20SecurityProviderRegistrar=20that=20is=20registered?= =?UTF-8?q?=20=20=20=20=20=20=20by=20default=20if=20there=20is=20a=20SunJC?= =?UTF-8?q?E=20security=20provider.=20It=20uses=20=20=20=20=20=20=20the=20?= =?UTF-8?q?AES=20and=20HmacSHA*=20implementations=20from=20SunJCE=20even?= =?UTF-8?q?=20if=20=20=20=20=20=20=20Bouncy=20Castle=20is=20also=20registe?= =?UTF-8?q?red.=20SunJCE=20has=20native=20=20=20=20=20=20=20implementation?= =?UTF-8?q?s,=20whereas=20Bouncy=20Castle=20may=20not.=20=20=20=20=20=20?= =?UTF-8?q?=20The=20new=20registrar=20has=20the=20name=20"SunJCEWrapper"?= =?UTF-8?q?=20and=20can=20be=20=20=20=20=20=20=20configured=20like=20any?= =?UTF-8?q?=20other=20registrar.=20It=20can=20be=20disabled=20via=20=20=20?= =?UTF-8?q?=20=20=20=20the=20system=20property=20=20=20=20=20=20=20org.apa?= =?UTF-8?q?che.sshd.security.provider.SunJCEWrapper.enabled=3Dfalse.=20=20?= =?UTF-8?q?=20=20=20=20=20It=20is=20also=20disabled=20in=20FIPS=20mode=20(?= =?UTF-8?q?see=20above).=20=20=20=20=20+=20GH-582=20Fix=20filtering=20in?= =?UTF-8?q?=20NamedFactory=20=20=20=20=20=20=20The=20methods=20NamedFactor?= =?UTF-8?q?y.setupBuiltinFactories(boolean=20=20=20=20=20=20=20ignoreUnsup?= =?UTF-8?q?ported,=20...)=20and=20=20=20=20=20=20=20NamedFactory.setupTran?= =?UTF-8?q?sformedFactories(boolean=20=20=20=20=20=20=20ignoreUnsupported,?= =?UTF-8?q?=20...)=20had=20a=20bug=20that=20gave=20the=20=20=20=20=20=20?= =?UTF-8?q?=20"ignoreUnsupported"=20parameter=20actually=20the=20meaning?= =?UTF-8?q?=20of=20=20=20=20=20=20=20"include=20unsupported".=20=20=20=20?= =?UTF-8?q?=20=20=20This=20was=20fixed=20in=20this=20release,=20but=20exis?= =?UTF-8?q?ting=20code=20calling=20=20=20=20=20=20=20these=20or=20one=20of?= =?UTF-8?q?=20the=20following=20methods:=20=20=20=20=20=20=20=20=20~=20Bas?= =?UTF-8?q?eBuilder.setUpDefaultMacs(boolean=20ignoreUnsupported)=20=20=20?= =?UTF-8?q?=20=20=20=20=20=20~=20BaseBuilder.setUpDefaultCiphers(boolean?= =?UTF-8?q?=20ignoreUnsupported)=20=20=20=20=20=20=20=20=20~=20ClientBuild?= =?UTF-8?q?er.setUpDefaultCompressionFactories(boolean=20=20=20=20=20=20?= =?UTF-8?q?=20=20=20=20=20ignoreUnsupported)=20=20=20=20=20=20=20=20=20~?= =?UTF-8?q?=20ClientBuilder.setUpDefaultKeyExchanges(boolean=20=20=20=20?= =?UTF-8?q?=20=20=20=20=20=20=20ignoreUnsupported)=20=20=20=20=20=20=20=20?= =?UTF-8?q?=20~=20ClientBuilder.setUpDefaultSignatureFactories(boolean=20?= =?UTF-8?q?=20=20=20=20=20=20=20=20=20=20ignoreUnsupported)=20=20=20=20=20?= =?UTF-8?q?=20=20=20=20~=20ServerBuilder.setUpDefaultCompressionFactories(?= =?UTF-8?q?boolean=20=20=20=20=20=20=20=20=20=20=20ignoreUnsupported)=20?= =?UTF-8?q?=20=20=20=20=20=20=20=20~=20ServerBuilder.setUpDefaultKeyExchan?= =?UTF-8?q?ges(boolean=20=20=20=20=20=20=20=20=20=20=20ignoreUnsupported)?= =?UTF-8?q?=20=20=20=20=20=20=20=20=20~=20ServerBuilder.setUpDefaultSignat?= =?UTF-8?q?ureFactories(boolean=20=20=20=20=20=20=20=20=20=20=20ignoreUnsu?= =?UTF-8?q?pported)=20=20=20=20=20=20=20=20=20~=20any=20of=20the=20methods?= =?UTF-8?q?=20starting=20with=20=20=20=20=20=20=20=20=20=20=20SshConfigFil?= =?UTF-8?q?eReader.configure=20=20=20=20=20=20=20=20=20~=20SshClientConfig?= =?UTF-8?q?FileReader.configure(...)=20=20=20=20=20=20=20=20=20~=20SshServ?= =?UTF-8?q?erConfigFileReader.configure(...)=20=20=20=20=20=20=20should=20?= =?UTF-8?q?be=20reviewed:=20=20=20=20=20=20=20=20=20~=20if=20the=20method?= =?UTF-8?q?=20is=20called=20with=20parameter=20value=20true,=20the=20=20?= =?UTF-8?q?=20=20=20=20=20=20=20=20=20result=20will=20no=20longer=20includ?= =?UTF-8?q?e=20unsupported=20algorithms.=20=20=20=20=20=20=20=20=20=20=20F?= =?UTF-8?q?ormerly=20it=20wrongly=20did.=20=20=20=20=20=20=20=20=20~=20if?= =?UTF-8?q?=20the=20method=20is=20called=20with=20parameter=20value=20fals?= =?UTF-8?q?e,=20the=20=20=20=20=20=20=20=20=20=20=20result=20may=20include?= =?UTF-8?q?=20unsupported=20algorithms.=20Formerly=20it=20=20=20=20=20=20?= =?UTF-8?q?=20=20=20=20=20did=20not.=20=20=20=20=20=20=20So=20if=20existin?= =?UTF-8?q?g=20code=20used=20parameter=20value=20false=20to=20ensure=20it?= =?UTF-8?q?=20=20=20=20=20=20=20never=20got=20unsupported=20algorithms,=20?= =?UTF-8?q?change=20it=20to=20true.=20=20=20*=20Major=20Code=20Re-factorin?= =?UTF-8?q?g=20=20=20=20=20+=20JDK=20requirements=20=20=20=20=20=20=20~=20?= =?UTF-8?q?GH-536=20The=20project=20now=20requires=20JDK=2017=20at=20build?= =?UTF-8?q?=20time,=20while=20=20=20=20=20=20=20=20=20the=20target=20runti?= =?UTF-8?q?me=20still=20remains=20unchanged=20to=20support=20JDK=20=20=20?= =?UTF-8?q?=20=20=20=20=20=208.=20-=20Changes=20in=20version=202.13.2=20?= =?UTF-8?q?=20=20*=20What's=20Changed=20=20=20=20=20+=20GH-525:=20Fix=20sn?= =?UTF-8?q?trup761x25519-sha512=20by=20@tomaswolf=20in=20#528=20-=20Change?= =?UTF-8?q?s=20in=20version=202.13.1=20=20=20*=20What's=20changed=20=20=20?= =?UTF-8?q?=20=20+=20This=20release=20does=20not=20contain=20any=20code=20?= =?UTF-8?q?changes.=20It=20is=20solely=20=20=20=20=20=20=20to=20rectify=20?= =?UTF-8?q?the=20issue=20that=20the=202.13.0=20release=20encountered=20=20?= =?UTF-8?q?=20=20=20=20=20during=20the=20release=20process,=20where=20the?= =?UTF-8?q?=20source=20jars=20were=20not=20=20=20=20=20=20=20created.=20-?= =?UTF-8?q?=20Changes=20in=20version=202.13.0=20=20=20*=20What's=20changed?= =?UTF-8?q?=20=20=20=20=20+=20GH-318:=20Handle=20cascaded=20proxy=20jumps?= =?UTF-8?q?=20by=20@tomaswolf=20in=20#512=20=20=20=20=20+=20GH-427:=20Read?= =?UTF-8?q?=20initial=20ACK=20on=20channel=20open=20prior=20to=20direct=20?= =?UTF-8?q?=20=20=20=20=20=20stream=20upload=20&=20close=20streams=20prior?= =?UTF-8?q?=20to=20exit=20code=20handling=20by=20=20=20=20=20=20=20@TerraN?= =?UTF-8?q?ibble=20in=20#464=20=20=20=20=20+=20GH-455:=20ensure=20BaseCiph?= =?UTF-8?q?er.update()=20fulfills=20the=20contract=20by=20=20=20=20=20=20?= =?UTF-8?q?=20@tomaswolf=20in=20#463=20=20=20=20=20+=20GH-470:=20Synchroni?= =?UTF-8?q?ze=20not=20thread=20safe=20=20=20=20=20=20=20java.security.KeyP?= =?UTF-8?q?airGenerator.generateKe=E2=80=A6=20by=20=20=20=20=20=20=20@zakh?= =?UTF-8?q?arovsergey1000=20in=20#467=20=20=20=20=20+=20GH-476:=20Fix=20An?= =?UTF-8?q?droid=20detection=20false=20negative=20by=20@wh0=20=20=20=20=20?= =?UTF-8?q?+=20GH-475:=20Switch=20uses=20of=20JSch=20library=20to=20the=20?= =?UTF-8?q?=20=20=20=20=20=20com.github.mwiede:jsch=20fork=20by=20@Alex-Vo?= =?UTF-8?q?l-Amz=20=20=20=20=20+=20GH-472:=20change=20client=20start=20con?= =?UTF-8?q?dition=20in=20sshd-spring-sftp=20by=20=20=20=20=20=20=20@always?= =?UTF-8?q?tom=20=20=20=20=20+=20GH-489:=20sftp=20readdir:=20determine=20f?= =?UTF-8?q?ile=20type=20from=20longname=20by=20=20=20=20=20=20=20@tomaswol?= =?UTF-8?q?f=20in=20#491=20=20=20=20=20+=20GH-486:=20Add=20missing=20U2F?= =?UTF-8?q?=20{ed25519,ecdsa}-sk=20public=20key=20=20=20=20=20=20=20equali?= =?UTF-8?q?ty=20methods=20by=20@lf-=20=20=20=20=20+=20SSHD-1237=20Handle?= =?UTF-8?q?=20keep-alive=20channel=20requests=20by=20@tomaswolf=20in=20=20?= =?UTF-8?q?=20=20=20=20=20#492=20=20=20=20=20+=20GH-494:=20Nio2Session=20i?= =?UTF-8?q?mprovements=20by=20@evgeny-pasynkov=20=20=20=20=20+=20GH-468:?= =?UTF-8?q?=20Handle=20excess=20data=20in=20SFTP=20read=20requests=20by=20?= =?UTF-8?q?=20=20=20=20=20=20@tomaswolf=20in=20#495=20=20=20=20=20+=20GH-4?= =?UTF-8?q?98:=20Implement=20the=20"sntrup761x25519-sha512@openssh.com"=20?= =?UTF-8?q?=20=20=20=20=20=20KEX=20method=20by=20@tomaswolf=20=20=20=20=20?= =?UTF-8?q?+=20GH-500:=20SftpFileSystemProvider:=20close=20SftpClient=20on?= =?UTF-8?q?=20exception=20=20=20=20=20=20=20by=20@tomaswolf=20in=20#501=20?= =?UTF-8?q?=20=20=20=20+=20GH-504:=20Pass=20reason=20to=20sessionNegotiati?= =?UTF-8?q?onEnd=20by=20@duco-lw=20in=20=20=20=20=20=20=20#505=20=20=20=20?= =?UTF-8?q?=20+=20GH-461:=20Fix=20heartbeats=20with=20wantReply=3Dtrue=20b?= =?UTF-8?q?y=20@tomaswolf=20in=20=20=20=20=20=20=20#507=20=20=20=20=20+=20?= =?UTF-8?q?GH-493:=20Fix=20arcfour128=20and=20arcfour256=20ciphers=20(regr?= =?UTF-8?q?ession=20in=20=20=20=20=20=20=202.2.0)=20=20=20=20=20+=20GH-509?= =?UTF-8?q?:=20SFTP=20v[456]=20client:=20validate=20attribute=20flags=20?= =?UTF-8?q?=20=20=20=20+=20GH-510:=20Fix=20class=20name=20in=20BuiltinIoSe?= =?UTF-8?q?rviceFactoryFactories=20=20=20=20=20=20=20(regression=20in=202.?= =?UTF-8?q?6.0)=20=20=20*=20New=20Features=20=20=20=20=20+=20sntrup761x255?= =?UTF-8?q?19-sha512@openssh.com=20Key=20Exchange=20=20=20=20=20=20=20The?= =?UTF-8?q?=20key=20exchange=20method=20sntrup761x25519-sha512@openssh.com?= =?UTF-8?q?=20is=20=20=20=20=20=20=20now=20available=20if=20the=20Bouncy?= =?UTF-8?q?=20Castle=20library=20is=20available.=20=20=20=20=20=20=20This?= =?UTF-8?q?=20uses=20a=20post-quantum=20key=20encapsulation=20method=20(KE?= =?UTF-8?q?M)=20to=20=20=20=20=20=20=20make=20key=20exchange=20future-proo?= =?UTF-8?q?f=20against=20quantum=20attacks.=20=20=20=20=20=20=20More=20inf?= =?UTF-8?q?ormation=20can=20be=20found=20in=20IETF=20Memo=20Secure=20Shell?= =?UTF-8?q?=20(SSH)=20=20=20=20=20=20=20Key=20Exchange=20Method=20Using=20?= =?UTF-8?q?Hybrid=20Streamlined=20NTRU=20Prime=20=20=20=20=20=20=20sntrup7?= =?UTF-8?q?61=20and=20X25519=20with=20SHA-512:=20sntrup761x25519-sha512.?= =?UTF-8?q?=20=20=20=20=20+=20Behavioral=20changes=20and=20enhancements=20?= =?UTF-8?q?=20=20=20=20=20=20~=20GH-318=20Handle=20cascaded=20proxy=20jump?= =?UTF-8?q?s=20=20=20=20=20=20=20=20=20Proxy=20jumps=20can=20be=20configur?= =?UTF-8?q?ed=20via=20host=20configuration=20=20=20=20=20=20=20=20=20entri?= =?UTF-8?q?es=20in=20two=20ways.=20First,=20proxies=20can=20be=20chained?= =?UTF-8?q?=20directly=20=20=20=20=20=20=20=20=20by=20specifiying=20severa?= =?UTF-8?q?l=20proxies=20in=20one=20ProxyJump=20directive:=20=20=20=20=20?= =?UTF-8?q?=20=20=20=20=20=20Host=20target=20=20=20=20=20=20=20=20=20=20?= =?UTF-8?q?=20Hostname=20somewhere.example.org=20=20=20=20=20=20=20=20=20?= =?UTF-8?q?=20=20User=20some=5Fuser=20=20=20=20=20=20=20=20=20=20=20Identi?= =?UTF-8?q?tyFile=20~/.ssh/some=5Fid=20=20=20=20=20=20=20=20=20=20=20Proxy?= =?UTF-8?q?Jump=20jumphost2,=20jumphost1?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Host jumphost1 Hostname jumphost1@example.org User jumphost1_user IdentityFile ~/.ssh/id_jumphost1 Host jumphost2 Hostname jumphost2@example.org User jumphost2_user IdentityFile ~/.ssh/id_jumphost2 Connecting to server target will first connect to jumphost1, then tunnel through to jumphost2, and finally tunnel to target. So the full connection will be client→jumphost1→jumphost2→target. Such proxy jump chains were already supported in Apache MINA SSHD. Newly, Apache MINA SSHD also supports cascading proxy jumps, so a configuration like Host target Hostname somewhere.example.org User some_user IdentityFile ~/.ssh/some_id ProxyJump jumphost2 Host jumphost1 Hostname jumphost1@example.org User jumphost1_user IdentityFile ~/.ssh/id_jumphost1 Host jumphost2 Hostname jumphost2@example.org ProxyJump jumphost1 User jumphost2_user IdentityFile ~/.ssh/id_jumphost2 also works now, and produces the same connection client→jumphost1→jumphost2→target. It is possible to mis-configure such proxy jump cascades to have loops. (For instance, if host jumphost1 in the above example had a ProxyJump jumphost2 directive.) To catch such misconfigurations, Apache MINA SSHD imposes an upper limit on the total number of proxy jumps in a connection. An exception is thrown if there are more than CoreModuleProperties.MAX_PROXY_JUMPS proxy jumps in a connection. The default value of this property is 10. Most real uses of proxy jumps will have one or maybe two proxy jumps only. ~ GH-461 Fix heartbeats with wantReply=true The client-side heartbeat mechanism has been updated. Such heartbeats are configured via the CoreModuleProperties.HEARTBEAT_INTERVAL property. If this interval is > 0, heartbeats are sent to the server. Previously these heartbeats could also be configured with a CoreModuleProperties.HEARTBEAT_REPLY_WAIT timeout. If the timeout was <= 0, the client would just send heartbeat requests without expecting any answers. If the timeout was > 0, the client would send requests with a flag indicating that the server should reply. The client would then wait for the specified duration for the reply and would terminate the connection if none was received. This mechanism could cause trouble if the timeout was fairly long and the server was slow to respond. A timeout longer than the interval could also delay subsequent heartbeats. The CoreModuleProperties.HEARTBEAT_REPLY_WAIT property is now deprecated. There is a new configuration property CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX instead. It defines a limit for the number of heartbeats sent without receiving a reply before a session is terminated. If the value is <= 0, the client still sends heartbeats without expecting any reply. If the value is > 0, the client will request a reply from the server for each heartbeat message, and it will terminate the connection if the number of unanswered heartbeats reaches CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX. This new way to configure heartbeats aligns with the OpenSSH configuration options ServerAliveInterval and ServerAliveCountMax. For compatibility with older configurations that explicitly define CoreModuleProperties.HEARTBEAT_REPLY_WAIT, the new code maps this to the new configuration (but only if CoreModuleProperties.HEARTBEAT_INTERVAL > 0 and the new property CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX has not been set) by setting CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX to = CoreModuleProperties.HEARTBEAT_REPLY_WAIT <= 0: CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX = 0 = otherwise: (CoreModuleProperties.HEARTBEAT_REPLY_WAIT / CoreModuleProperties.HEARTBEAT_INTERVAL) + 1. ~ GH-468 SFTP: validate length of data received: must not be more than requested SFTP read operations now check the amount of data they get back. If it's more than requested an exception is thrown. SFTP servers must never return more data than the client requested, but it appears that there are some that do so. If property SftpModuleProperties.TOLERATE_EXCESS_DATA is set to true, a warning is logged and such excess data is silently discarded. * Potential compatibility issues + AES-CBC ciphers removed from server's defaults The AES-CBC ciphers aes128-cbc, aes192-cbc, and aes256-cbc have been removed from the default list of cipher algorithms that a server proposes in the key exchange. OpenSSH has removed these cipher algorithms from the server proposal in 2014, and has removed them from the client proposal in 2017. The cipher implementations still exist but they are not enabled by default. Existing code that explicitly sets the cipher factories is unaffected. Code that relies on the default settings will newly create a server that does not support the CBC-mode ciphers. To enable the CBC-mode ciphers, one can use for instance SshServer server = ServerBuilder.builder() ... .cipherFactories(BuiltinFactory.setUpFactories(false, BaseBuilder.DEFAULT_CIPHERS_PREFERENCES)); ... .build(); For the SSH client, the CBC ciphers are still enabled by default to facilitate connecting to legacy servers. We plan to remove the CBC ciphers from the client's defaults in the next release. - Changes in version 2.12.1 * Bug Fixes + GH-458 Singleton thread pool for kex message handler flushing + SSHD-1338 Restore binary compatibility with 2.9.2 * What's Changed + Fix link by @swiedenfeld in #454 + SSHD-1338 Restore binary compatibility with 2.9.2 by @gnodet in #456 + Use a singleton threadpool for kex message handler flushing by @FliegenKLATSCH in #459 - Enable module: sshd-openpgp OBS-URL: https://build.opensuse.org/package/show/Java:packages/apache-sshd?expand=0&rev=37 --- apache-sshd-2.12.0-src.tar.gz | 3 - apache-sshd-2.14.0-src.tar.gz | 3 + apache-sshd.changes | 296 ++++++++++++++++++++++++++++++++++ apache-sshd.spec | 12 +- 4 files changed, 305 insertions(+), 9 deletions(-) delete mode 100644 apache-sshd-2.12.0-src.tar.gz create mode 100644 apache-sshd-2.14.0-src.tar.gz diff --git a/apache-sshd-2.12.0-src.tar.gz b/apache-sshd-2.12.0-src.tar.gz deleted file mode 100644 index 342ee39..0000000 --- a/apache-sshd-2.12.0-src.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e8198fd90ca8089a71547300a7a8f6e853dd5fea6095a6887f79564849e76bd8 -size 1857423 diff --git a/apache-sshd-2.14.0-src.tar.gz b/apache-sshd-2.14.0-src.tar.gz new file mode 100644 index 0000000..8876875 --- /dev/null +++ b/apache-sshd-2.14.0-src.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:148f5bc1c4ac73dc59024392eb45fc76ae32671dd146cf7962c44f255bae925e +size 1888003 diff --git a/apache-sshd.changes b/apache-sshd.changes index 5c21dde..9be1e79 100644 --- a/apache-sshd.changes +++ b/apache-sshd.changes @@ -1,3 +1,299 @@ +------------------------------------------------------------------- +Thu Oct 17 07:53:50 UTC 2024 - Anton Shvetz + +- Updated to upstrem version 2.14.0 +- Changes in version 2.14.0 + * Bug Fixes + + GH-524 Performance improvements + + GH-533 Fix multi-step authentication + + GH-582 Fix filtering in NamedFactory + + GH-587 Prevent NullPointerExceptionon closed channel in + NettyIoSession + + GH-590 Better support for FIPS + + GH-597 Pass on Charset in + ClientSession.executeRemoteCommand() + * New Features + + New utility methods SftpClient.put(Path localFile, String + remoteFileName) and SftpClient.put(InputStream in, String + remoteFileName) facilitate SFTP file uploading. + * GH-590 Better support for FIPS + Besides fixing a bug with bc-fips (the RandomGenerator class + exists in normal Bouncy Castle, but not in the FIPS version, + but Apache MINA sshd referenced it even if only bc-fips was + present), support was improved for running in an environment + restricted by FIPS. + There is a new system property + org.apache.sshd.security.fipsEnabled. If set to true, a number + of crypto-algorithms not approved by FIPS 140 are disabled: + + key exchange methods sntrup761x25519-sha512, + sntrup761x25519-sha512@openssh.com, curve25519-sha256, + curve25519-sha256@libssh.org, curve448-sha512. + + the chacha20-poly1305 cipher. + + the bcrypt KDF used in encrypted private key files in + OpenSSH format. + + all ed25519 keys and signatures. + Additionally, the new "SunJCEWrapper" SecurityProviderRegistrar + (see below) and the EdDSASecurityProviderRegistrar are + disabled, and the BouncyCastleScurityProviderRegistrar looks + only for the "BCFIPS" security provider, not for the normal + "BC" provider. + If the system property is not set to true, FIPS mode can be + enabled programmatically by calling SecurityUtils.setFipsMode() + before any other call to Apache MINA sshd. + * Potential compatibility issues + + New security provider registrar + There is a new SecurityProviderRegistrar that is registered + by default if there is a SunJCE security provider. It uses + the AES and HmacSHA* implementations from SunJCE even if + Bouncy Castle is also registered. SunJCE has native + implementations, whereas Bouncy Castle may not. + The new registrar has the name "SunJCEWrapper" and can be + configured like any other registrar. It can be disabled via + the system property + org.apache.sshd.security.provider.SunJCEWrapper.enabled=false. + It is also disabled in FIPS mode (see above). + + GH-582 Fix filtering in NamedFactory + The methods NamedFactory.setupBuiltinFactories(boolean + ignoreUnsupported, ...) and + NamedFactory.setupTransformedFactories(boolean + ignoreUnsupported, ...) had a bug that gave the + "ignoreUnsupported" parameter actually the meaning of + "include unsupported". + This was fixed in this release, but existing code calling + these or one of the following methods: + ~ BaseBuilder.setUpDefaultMacs(boolean ignoreUnsupported) + ~ BaseBuilder.setUpDefaultCiphers(boolean ignoreUnsupported) + ~ ClientBuilder.setUpDefaultCompressionFactories(boolean + ignoreUnsupported) + ~ ClientBuilder.setUpDefaultKeyExchanges(boolean + ignoreUnsupported) + ~ ClientBuilder.setUpDefaultSignatureFactories(boolean + ignoreUnsupported) + ~ ServerBuilder.setUpDefaultCompressionFactories(boolean + ignoreUnsupported) + ~ ServerBuilder.setUpDefaultKeyExchanges(boolean + ignoreUnsupported) + ~ ServerBuilder.setUpDefaultSignatureFactories(boolean + ignoreUnsupported) + ~ any of the methods starting with + SshConfigFileReader.configure + ~ SshClientConfigFileReader.configure(...) + ~ SshServerConfigFileReader.configure(...) + should be reviewed: + ~ if the method is called with parameter value true, the + result will no longer include unsupported algorithms. + Formerly it wrongly did. + ~ if the method is called with parameter value false, the + result may include unsupported algorithms. Formerly it + did not. + So if existing code used parameter value false to ensure it + never got unsupported algorithms, change it to true. + * Major Code Re-factoring + + JDK requirements + ~ GH-536 The project now requires JDK 17 at build time, while + the target runtime still remains unchanged to support JDK + 8. +- Changes in version 2.13.2 + * What's Changed + + GH-525: Fix sntrup761x25519-sha512 by @tomaswolf in #528 +- Changes in version 2.13.1 + * What's changed + + This release does not contain any code changes. It is solely + to rectify the issue that the 2.13.0 release encountered + during the release process, where the source jars were not + created. +- Changes in version 2.13.0 + * What's changed + + GH-318: Handle cascaded proxy jumps by @tomaswolf in #512 + + GH-427: Read initial ACK on channel open prior to direct + stream upload & close streams prior to exit code handling by + @TerraNibble in #464 + + GH-455: ensure BaseCipher.update() fulfills the contract by + @tomaswolf in #463 + + GH-470: Synchronize not thread safe + java.security.KeyPairGenerator.generateKe… by + @zakharovsergey1000 in #467 + + GH-476: Fix Android detection false negative by @wh0 + + GH-475: Switch uses of JSch library to the + com.github.mwiede:jsch fork by @Alex-Vol-Amz + + GH-472: change client start condition in sshd-spring-sftp by + @alwaystom + + GH-489: sftp readdir: determine file type from longname by + @tomaswolf in #491 + + GH-486: Add missing U2F {ed25519,ecdsa}-sk public key + equality methods by @lf- + + SSHD-1237 Handle keep-alive channel requests by @tomaswolf in + #492 + + GH-494: Nio2Session improvements by @evgeny-pasynkov + + GH-468: Handle excess data in SFTP read requests by + @tomaswolf in #495 + + GH-498: Implement the "sntrup761x25519-sha512@openssh.com" + KEX method by @tomaswolf + + GH-500: SftpFileSystemProvider: close SftpClient on exception + by @tomaswolf in #501 + + GH-504: Pass reason to sessionNegotiationEnd by @duco-lw in + #505 + + GH-461: Fix heartbeats with wantReply=true by @tomaswolf in + #507 + + GH-493: Fix arcfour128 and arcfour256 ciphers (regression in + 2.2.0) + + GH-509: SFTP v[456] client: validate attribute flags + + GH-510: Fix class name in BuiltinIoServiceFactoryFactories + (regression in 2.6.0) + * New Features + + sntrup761x25519-sha512@openssh.com Key Exchange + The key exchange method sntrup761x25519-sha512@openssh.com is + now available if the Bouncy Castle library is available. + This uses a post-quantum key encapsulation method (KEM) to + make key exchange future-proof against quantum attacks. + More information can be found in IETF Memo Secure Shell (SSH) + Key Exchange Method Using Hybrid Streamlined NTRU Prime + sntrup761 and X25519 with SHA-512: sntrup761x25519-sha512. + + Behavioral changes and enhancements + ~ GH-318 Handle cascaded proxy jumps + Proxy jumps can be configured via host configuration + entries in two ways. First, proxies can be chained directly + by specifiying several proxies in one ProxyJump directive: + Host target + Hostname somewhere.example.org + User some_user + IdentityFile ~/.ssh/some_id + ProxyJump jumphost2, jumphost1 + + Host jumphost1 + Hostname jumphost1@example.org + User jumphost1_user + IdentityFile ~/.ssh/id_jumphost1 + + Host jumphost2 + Hostname jumphost2@example.org + User jumphost2_user + IdentityFile ~/.ssh/id_jumphost2 + + Connecting to server target will first connect to + jumphost1, then tunnel through to jumphost2, and finally + tunnel to target. So the full connection will be + client→jumphost1→jumphost2→target. + Such proxy jump chains were already supported in Apache + MINA SSHD. + Newly, Apache MINA SSHD also supports cascading proxy + jumps, so a configuration like + Host target + Hostname somewhere.example.org + User some_user + IdentityFile ~/.ssh/some_id + ProxyJump jumphost2 + + Host jumphost1 + Hostname jumphost1@example.org + User jumphost1_user + IdentityFile ~/.ssh/id_jumphost1 + + Host jumphost2 + Hostname jumphost2@example.org + ProxyJump jumphost1 + User jumphost2_user + IdentityFile ~/.ssh/id_jumphost2 + also works now, and produces the same connection + client→jumphost1→jumphost2→target. + + It is possible to mis-configure such proxy jump cascades to + have loops. (For instance, if host jumphost1 in the above + example had a ProxyJump jumphost2 directive.) To catch such + misconfigurations, Apache MINA SSHD imposes an upper limit + on the total number of proxy jumps in a connection. An + exception is thrown if there are more than + CoreModuleProperties.MAX_PROXY_JUMPS proxy jumps in a + connection. The default value of this property is 10. Most + real uses of proxy jumps will have one or maybe two proxy + jumps only. + ~ GH-461 Fix heartbeats with wantReply=true + The client-side heartbeat mechanism has been updated. Such + heartbeats are configured via the + CoreModuleProperties.HEARTBEAT_INTERVAL property. If this + interval is > 0, heartbeats are sent to the server. + Previously these heartbeats could also be configured with a + CoreModuleProperties.HEARTBEAT_REPLY_WAIT timeout. If the + timeout was <= 0, the client would just send heartbeat + requests without expecting any answers. If the timeout was + > 0, the client would send requests with a flag indicating + that the server should reply. The client would then wait + for the specified duration for the reply and would + terminate the connection if none was received. + This mechanism could cause trouble if the timeout was + fairly long and the server was slow to respond. A timeout + longer than the interval could also delay subsequent + heartbeats. + The CoreModuleProperties.HEARTBEAT_REPLY_WAIT property is + now deprecated. + There is a new configuration property + CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX instead. It + defines a limit for the number of heartbeats sent without + receiving a reply before a session is terminated. If the + value is <= 0, the client still sends heartbeats without + expecting any reply. If the value is > 0, the client will + request a reply from the server for each heartbeat message, + and it will terminate the connection if the number of + unanswered heartbeats reaches + CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX. + This new way to configure heartbeats aligns with the + OpenSSH configuration options ServerAliveInterval and + ServerAliveCountMax. + For compatibility with older configurations that explicitly + define CoreModuleProperties.HEARTBEAT_REPLY_WAIT, the new + code maps this to the new configuration (but only if + CoreModuleProperties.HEARTBEAT_INTERVAL > 0 and the new + property CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX has + not been set) by setting + CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX to + = CoreModuleProperties.HEARTBEAT_REPLY_WAIT <= 0: + CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX = 0 + = otherwise: (CoreModuleProperties.HEARTBEAT_REPLY_WAIT / + CoreModuleProperties.HEARTBEAT_INTERVAL) + 1. + ~ GH-468 SFTP: validate length of data received: must not be + more than requested + SFTP read operations now check the amount of data they get + back. If it's more than requested an exception is thrown. + SFTP servers must never return more data than the client + requested, but it appears that there are some that do so. + If property SftpModuleProperties.TOLERATE_EXCESS_DATA is + set to true, a warning is logged and such excess data is + silently discarded. + * Potential compatibility issues + + AES-CBC ciphers removed from server's defaults + The AES-CBC ciphers aes128-cbc, aes192-cbc, and aes256-cbc + have been removed from the default list of cipher algorithms + that a server proposes in the key exchange. OpenSSH has + removed these cipher algorithms from the server proposal in + 2014, and has removed them from the client proposal in 2017. + The cipher implementations still exist but they are not + enabled by default. Existing code that explicitly sets the + cipher factories is unaffected. Code that relies on the + default settings will newly create a server that does not + support the CBC-mode ciphers. To enable the CBC-mode ciphers, + one can use for instance + SshServer server = ServerBuilder.builder() + ... + .cipherFactories(BuiltinFactory.setUpFactories(false, + BaseBuilder.DEFAULT_CIPHERS_PREFERENCES)); + ... + .build(); + For the SSH client, the CBC ciphers are still enabled by + default to facilitate connecting to legacy servers. We plan + to remove the CBC ciphers from the client's defaults in the + next release. +- Changes in version 2.12.1 + * Bug Fixes + + GH-458 Singleton thread pool for kex message handler flushing + + SSHD-1338 Restore binary compatibility with 2.9.2 + * What's Changed + + Fix link by @swiedenfeld in #454 + + SSHD-1338 Restore binary compatibility with 2.9.2 by @gnodet + in #456 + + Use a singleton threadpool for kex message handler flushing + by @FliegenKLATSCH in #459 +- Enable module: sshd-openpgp + ------------------------------------------------------------------- Thu Oct 17 01:00:02 UTC 2024 - Fridrich Strba diff --git a/apache-sshd.spec b/apache-sshd.spec index 0924bb9..839fdd9 100644 --- a/apache-sshd.spec +++ b/apache-sshd.spec @@ -23,7 +23,7 @@ %bcond_with extras %endif %global homedir %{_datadir}/apache-sshd -Version: 2.12.0 +Version: 2.14.0 Release: 0 Summary: Apache SSHD # One file has ISC licensing: @@ -128,6 +128,7 @@ This package provides %{name}. %pom_remove_dep :testcontainers-bom sshd-sftp sshd-core # We don't have dependencies for these modules +%pom_disable_module sshd-benchmarks %pom_disable_module sshd-mina %pom_remove_dep -r org.apache.sshd:sshd-mina %pom_disable_module sshd-spring-sftp @@ -144,6 +145,7 @@ This package provides %{name}. %pom_disable_module sshd-scp %pom_disable_module sshd-sftp %else +%pom_disable_module sshd-openpgp %pom_disable_module sshd-netty %pom_disable_module sshd-ldap %pom_disable_module sshd-git @@ -155,19 +157,17 @@ This package provides %{name}. # Disable plugins we don't need for RPM builds %pom_remove_plugin :apache-rat-plugin -%pom_remove_plugin :gmavenplus-plugin %pom_remove_plugin :maven-checkstyle-plugin %pom_remove_plugin :maven-enforcer-plugin %pom_remove_plugin :maven-pmd-plugin -%pom_remove_plugin :animal-sniffer-maven-plugin %pom_remove_plugin :impsort-maven-plugin %pom_remove_plugin :maven-clean-plugin %pom_remove_plugin :formatter-maven-plugin . sshd-core # We only need the unix-bin execution -%pom_xpath_remove "pom:executions/pom:execution[pom:id[text()='unix-src']]" assembly -%pom_xpath_remove "pom:executions/pom:execution[pom:id[text()='windows-bin']]" assembly -%pom_xpath_remove "pom:executions/pom:execution[pom:id[text()='windows-src']]" assembly +%pom_xpath_remove "pom:executions/pom:execution[pom:id='unix-src']" assembly +%pom_xpath_remove "pom:executions/pom:execution[pom:id='windows-bin']" assembly +%pom_xpath_remove "pom:executions/pom:execution[pom:id='windows-src']" assembly # Suppress generation of uses clauses %pom_xpath_inject "pom:configuration/pom:instructions" "<_nouses>true" . From e9413ff953a20e4fff3f75fe191d8dc0171ab14bc7f41bb81526b9230934b48c Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Thu, 17 Oct 2024 09:31:24 +0000 Subject: [PATCH 12/14] OBS-URL: https://build.opensuse.org/package/show/Java:packages/apache-sshd?expand=0&rev=38 --- apache-sshd.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/apache-sshd.spec b/apache-sshd.spec index 839fdd9..2159b75 100644 --- a/apache-sshd.spec +++ b/apache-sshd.spec @@ -151,7 +151,6 @@ This package provides %{name}. %pom_disable_module sshd-git %pom_disable_module sshd-contrib %pom_disable_module sshd-cli -%pom_disable_module sshd-openpgp %pom_disable_module assembly %endif From 8f74e2e92541c3ca00a22e46085399aec987420592eaf8cd1a7c09c9f5fe1d33 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Fri, 18 Oct 2024 06:58:07 +0000 Subject: [PATCH 13/14] OBS-URL: https://build.opensuse.org/package/show/Java:packages/apache-sshd?expand=0&rev=39 --- apache-sshd.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/apache-sshd.spec b/apache-sshd.spec index 2159b75..7ebf542 100644 --- a/apache-sshd.spec +++ b/apache-sshd.spec @@ -70,6 +70,7 @@ BuildRequires: mvn(org.codehaus.plexus:plexus-archiver) BuildRequires: mvn(org.eclipse.jgit:org.eclipse.jgit) BuildRequires: mvn(org.eclipse.jgit:org.eclipse.jgit.pgm) BuildRequires: mvn(org.slf4j:slf4j-jdk14) +#!BuildRequires: jgit %else Name: apache-sshd BuildRequires: mvn(org.apache.maven.plugins:maven-dependency-plugin) From 02c042fe403ecc334405abd477db4413d1286f75f7b4f9adcf74c6901aa5e20f Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Tue, 29 Oct 2024 20:12:29 +0000 Subject: [PATCH 14/14] OBS-URL: https://build.opensuse.org/package/show/Java:packages/apache-sshd?expand=0&rev=40 --- apache-sshd.changes | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/apache-sshd.changes b/apache-sshd.changes index 9be1e79..b5f891e 100644 --- a/apache-sshd.changes +++ b/apache-sshd.changes @@ -300,6 +300,14 @@ Thu Oct 17 01:00:02 UTC 2024 - Fridrich Strba - Add an "extras" flavour to build without cycles all modules we can - Build also a standalone apache-sshd application +- Removed patch: + * 0001-Avoid-optional-dependency-on-native-tomcat-APR-libra.patch + + use tomcat-jni instead and build the module +- Added patches: + * file-name-mapping.patch + + Do not add version to the assembled artifacts + * password-no-echo.patch + + Do not echo on the console the password ------------------------------------------------------------------- Tue Feb 20 11:07:06 UTC 2024 - Dominique Leuenberger