Unable to create SshSessionFactory on versions > 5 JGit [message #1838151] |
Wed, 17 February 2021 09:30  |
Eclipse User |
|
|
|
Hello everybody,
I want to make a git clone through ssh with JGit but I am not able to create a SshSession because I don't know how to initialize.
I tried to get SshSessionFactory.getInstance() but this return null and the SshTransport.setSshSessionFactory() failed with null.
Currently I am using JGit 5.10.0.202012080955-r and I know that for other version older than <= 4 there is a way to initialize SshSessionFactory with JschConfigSessionFactory but in latest versions this class is removed.
I still struggle to find a way / detailed documentation on their website but I didn't.
Could you please someone help me with an example?
Best regards,
|
|
|
|
|
|
|
|
|
|
|
|
Re: Unable to create SshSessionFactory on versions > 5 JGit [message #1838353 is a reply to message #1838336] |
Mon, 22 February 2021 16:14   |
Eclipse User |
|
|
|
Yes, it is. Take a look at the SshdSessionFactoryBuilder. It has a number of hooks you can use. Skipping GSSAPI (Kerberos) would be setPreferredAuthentications("publickey,keyboard-interactive,password"). StrictHostKeyChecking can be changed for instance by adding a ServerKeyDatabase via setServerKeyDatabase(). For instance one that always returns true in its accept() method to switch off host key checking altogether. Setting a particular ssh key could be done for instance by switching off handling of ~/.ssh/config (setConfigStoreFactory((h, f, u) -> null)) and defining the key to use via setDefaultIdentities().
Or you could work with a custom ConfigStoreFactory installed via setConfigStoreFactory(), which could return a SshConfigStore that returned a HostEntry with StrictHostKeyChecking=no and IdentityFile=<whatever> and PreferredAuthentications=...
There are really multiple ways to customize this. You may find some of the tests in bundle org.eclipse.jgit.ssh.apache.test interesting, in particular, there are two tests that show how to configure this so that it doesn't use any on-disk files and a pre-defined key.
BTW: depending on what your application does or how it is structured, it may not be necessary to create a new SshSessionFactory in a TransportConfigCallback on each git command. Maybe it is sufficient to just define the SshSessionFactory once and then set it globally via SshSessionFactory.setInstance(). That is what EGit does. Might be possible in your case, too. With a custom ConfigStoreFactory you should be able to configure individual connections as if the config was done in a ~/.ssh/config file, but without actually using such a file, and without having to create new session factories all the time.
|
|
|
|
|
|
|
|
Re: Unable to create SshSessionFactory on versions > 5 JGit [message #1839791 is a reply to message #1838353] |
Mon, 29 March 2021 04:26   |
Eclipse User |
|
|
|
Thomas Wolf wrote on Mon, 22 February 2021 21:14Yes, it is. Take a look at the SshdSessionFactoryBuilder. It has a number of hooks you can use. Skipping GSSAPI (Kerberos) would be setPreferredAuthentications("publickey,keyboard-interactive,password"). StrictHostKeyChecking can be changed for instance by adding a ServerKeyDatabase via setServerKeyDatabase(). For instance one that always returns true in its accept() method to switch off host key checking altogether. Setting a particular ssh key could be done for instance by switching off handling of ~/.ssh/config (setConfigStoreFactory((h, f, u) -> null)) and defining the key to use via setDefaultIdentities().
Or you could work with a custom ConfigStoreFactory installed via setConfigStoreFactory(), which could return a SshConfigStore that returned a HostEntry with StrictHostKeyChecking=no and IdentityFile=<whatever> and PreferredAuthentications=...
There are really multiple ways to customize this. You may find some of the tests in bundle org.eclipse.jgit.ssh.apache.test interesting, in particular, there are two tests that show how to configure this so that it doesn't use any on-disk files and a pre-defined key.
BTW: depending on what your application does or how it is structured, it may not be necessary to create a new SshSessionFactory in a TransportConfigCallback on each git command. Maybe it is sufficient to just define the SshSessionFactory once and then set it globally via SshSessionFactory.setInstance(). That is what EGit does. Might be possible in your case, too. With a custom ConfigStoreFactory you should be able to configure individual connections as if the config was done in a ~/.ssh/config file, but without actually using such a file, and without having to create new session factories all the time.
Something is un clear for me....
After I did these changes:
SshdSessionFactoryBuilder sshdSessionFactoryBuilder = new SshdSessionFactoryBuilder();
sshdSessionFactoryBuilder.setPreferredAuthentications("publickey,keyboard-interactive,password");
sshdSessionFactoryBuilder.setHomeDirectory(FS.detect().userHome());
sshdSessionFactoryBuilder.setSshDirectory(FS.detect().userHome());
SshSessionFactory.setInstance(sshdSessionFactoryBuilder.build(new JGitKeyCache()));
I receive this error:
Caused by: org.apache.sshd.common.SshException: Server key did not validate
at org.eclipse.jgit.internal.transport.sshd.JGitClientSession.checkKeys(JGitClientSession.java:344)
at org.apache.sshd.common.session.helpers.AbstractSession.handleKexMessage(AbstractSession.java:578)
at org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:464)
Without the previous changes (I have only this line: SshSessionFactory.setInstance(new SshdSessionFactory()); ) I receive this warning:
2021-03-29 11:22:57.463 INFO --- [scheduling-1] o.a.s.c.u.s.e.EdDSASecurityProviderRegistrar - getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProvider
2021-03-29 11:22:57.611 INFO --- [scheduling-1] o.a.s.c.i.DefaultIoServiceFactoryFactory - No detected/configured IoServiceFactoryFactory using Nio2ServiceFactoryFactory
2021-03-29 11:23:04.835 WARN --- [sshd-JGitSshClient[656b5146]-nio2-thread-1] o.e.j.i.t.s.GssApiWithMicAuthentication - GSS-API error for mechanism OID 1.2.840.113554.1.2.2
org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at java.security.jgss/sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:162)
at java.security.jgss/sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
at java.security.jgss/sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:193)
at java.security.jgss/sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:218)
at java.security.jgss/sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at java.security.jgss/sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:196)
at org.eclipse.jgit.internal.transport.sshd.GssApiWithMicAuthentication.sendToken(GssApiWithMicAuthentication.java:183)
To be frankly I don't know how exactly does it work for the second scenario (which ssh key use for pull and push).
Also for the first scenario the format of the key is invalid? What is the supported ssh key? How I can generat to be a valid one?
|
|
|
|
Powered by
FUDForum. Page generated in 0.07001 seconds