This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
Disclaimer: I might have chosen the wrong component, this was my best guess. Trying to use the internal SSH client for tunnelig CVS commands it failes trying to connect to Debian 3.1 SSH servers with default SSH setup. Connecting to Debian 3.0 servers works ok, as does connecting to FreeBSD servers. If I change "PasswordAuthentication" from "no" (default) to "yes" in sshd_config, NetBeans connects fine. This should not be necessary as I use PAM (the default SSH setup in Debian 3.1). Any other SSH client (OpenSSH, PuTTY, WinSCP, midpssh, ...) connects just fine using password authentication towards the same Debian 3.1 servers I have tested. I've attached log output from the server while trying to connect in the checkout wizard. SSH Server log (debug log level) with PasswordAuthentication no: Feb 13 15:34:10 gizmo sshd[28543]: Connection from ::ffff:10.0.0.106 port 1741 Feb 13 15:34:10 gizmo sshd[28528]: debug1: Forked child 28543. Feb 13 15:34:10 gizmo sshd[28543]: debug1: Client protocol version 2.0; client software version JSCH-0.1.24 Feb 13 15:34:10 gizmo sshd[28543]: debug1: no match: JSCH-0.1.24 Feb 13 15:34:10 gizmo sshd[28543]: debug1: Enabling compatibility mode for protocol 2.0 Feb 13 15:34:10 gizmo sshd[28543]: debug1: Local version string SSH-2.0- OpenSSH_3.8.1p1 Debian-8.sarge.4 Feb 13 15:34:11 gizmo sshd[28543]: debug1: PAM: initializing for "oyvindh" Feb 13 15:34:11 gizmo sshd[28543]: debug1: PAM: setting PAM_RHOST to "myhost. example.com" Feb 13 15:34:11 gizmo sshd[28543]: debug1: PAM: setting PAM_TTY to "ssh" Feb 13 15:34:11 gizmo sshd[28543]: debug1: do_cleanup Feb 13 15:34:11 gizmo sshd[28543]: debug1: PAM: cleanup SSH Server log (debug log level) with PasswordAuthentication yes: Feb 13 15:31:10 gizmo sshd[28174]: Connection from ::ffff:10.0.0.106 port 1735 Feb 13 15:31:10 gizmo sshd[14341]: debug1: Forked child 28174. Feb 13 15:31:10 gizmo sshd[28174]: debug1: Client protocol version 2.0; client software version JSCH-0.1.24 Feb 13 15:31:10 gizmo sshd[28174]: debug1: no match: JSCH-0.1.24 Feb 13 15:31:10 gizmo sshd[28174]: debug1: Enabling compatibility mode for protocol 2.0 Feb 13 15:31:10 gizmo sshd[28174]: debug1: Local version string SSH-2.0- OpenSSH_3.8.1p1 Debian-8.sarge.4 Feb 13 15:31:10 gizmo sshd[28174]: debug1: PAM: initializing for "oyvindh" Feb 13 15:31:10 gizmo sshd[28174]: debug1: PAM: setting PAM_RHOST to "myhost. example.com" Feb 13 15:31:10 gizmo sshd[28174]: debug1: PAM: setting PAM_TTY to "ssh" Feb 13 15:31:10 gizmo sshd[28174]: Failed none for oyvindh from ::ffff:10.0.0. 106 port 1735 ssh2 Feb 13 15:31:10 gizmo sshd[28174]: Accepted password for oyvindh from ::ffff:10. 0.0.106 port 1735 ssh2 Feb 13 15:31:10 gizmo sshd[28174]: debug1: monitor_child_preauth: oyvindh has been authenticated by privileged process Feb 13 15:31:10 gizmo sshd[28176]: (pam_unix) session opened for user oyvindh by (uid=0) Feb 13 15:31:10 gizmo sshd[28176]: debug1: PAM: reinitializing credentials Feb 13 15:31:10 gizmo sshd[28176]: debug1: permanently_set_uid: 1000/1000 Feb 13 15:31:10 gizmo sshd[28176]: debug1: Entering interactive session for SSH2. Feb 13 15:31:10 gizmo sshd[28176]: debug1: server_init_dispatch_20 Feb 13 15:31:10 gizmo sshd[28176]: debug1: server_input_channel_open: ctype session rchan 8 win 1048576 max 16384 Feb 13 15:31:10 gizmo sshd[28176]: debug1: input_session_request Feb 13 15:31:10 gizmo sshd[28176]: debug1: channel 0: new [server-session] Feb 13 15:31:10 gizmo sshd[28176]: debug1: session_new: init Feb 13 15:31:10 gizmo sshd[28176]: debug1: session_new: session 0 Feb 13 15:31:10 gizmo sshd[28176]: debug1: session_open: channel 0 Feb 13 15:31:10 gizmo sshd[28176]: debug1: session_open: session 0: link with channel 0 Feb 13 15:31:10 gizmo sshd[28176]: debug1: server_input_channel_open: confirm session Feb 13 15:31:10 gizmo sshd[28176]: debug1: server_input_channel_req: channel 0 request exec reply 0 Feb 13 15:31:10 gizmo sshd[28176]: debug1: session_by_channel: session 0 channel 0 Feb 13 15:31:10 gizmo sshd[28176]: debug1: session_input_channel_req: session 0 req exec Feb 13 15:31:11 gizmo sshd[28176]: debug1: session_by_channel: session 0 channel 0 Feb 13 15:31:11 gizmo sshd[28176]: debug1: session_close_by_channel: channel 0 child 28177 Feb 13 15:31:11 gizmo sshd[28176]: debug1: session_close_by_channel: channel 0: has child Feb 13 15:31:11 gizmo sshd[28176]: debug1: session_by_channel: session 0 channel 0 Feb 13 15:31:11 gizmo sshd[28176]: debug1: session_close_by_channel: channel 0 child 28177 Feb 13 15:31:11 gizmo sshd[28176]: debug1: session_close_by_channel: channel 0: has child Feb 13 15:31:11 gizmo sshd[28176]: debug1: Received SIGCHLD. Feb 13 15:31:11 gizmo sshd[28176]: Connection closed by ::ffff:10.0.0.106 Feb 13 15:31:11 gizmo sshd[28176]: debug1: session_by_pid: pid 28177 Feb 13 15:31:11 gizmo sshd[28176]: debug1: session_exit_message: session 0 channel 0 pid 28177 Feb 13 15:31:11 gizmo sshd[28176]: debug1: session_exit_message: release channel 0 Feb 13 15:31:11 gizmo sshd[28176]: debug1: session_close: session 0 pid 28177 Feb 13 15:31:11 gizmo sshd[28176]: debug1: channel 0: free: server-session, nchannels 1 Feb 13 15:31:11 gizmo sshd[28176]: debug1: do_cleanup Feb 13 15:31:11 gizmo sshd[28176]: debug1: PAM: cleanup Feb 13 15:31:11 gizmo sshd[28176]: (pam_unix) session closed for user oyvindh Feb 13 15:31:11 gizmo sshd[28176]: Closing connection to ::ffff:10.0.0.106 Feb 13 15:31:11 gizmo sshd[28176]: debug1: PAM: cleanup
Log differs after Feb 13 15:34:11 gizmo sshd[28543]: debug1: PAM: setting PAM_TTY to "ssh" line. This issue was already reported, but working solution is not known (Jsch author proposed a solution but...).
Hi, I'm autho of JSch. Today, I find this issue and I'm interested in it, but I don't have Debian system, so I need you help. May I ask you for the output from 'sshd -d -d -d' with internal ssh and external ssh?
Hickjacking this issue for InternalSSH enhancements... Hi developers, Here is a patch to improve the response time in using 'Internal SSH' for 'ext' connection type. In the current implementation, for each remote executions 'cvs server', ssh connections have been established, and you know that the establishment of ssh connection will take much of CPU time and memories for DH key exchanging. In the attached patch, an established ssh connection will be reused to save computer resources. Please try it. PS. Do you have a plan to support public-key authentication? If you have, I'll write you a patch for it. Sincerely, -- Atsuhiko Yamanaka JCraft,Inc.
Created attachment 29063 [details] a patch to improve the response time
Hi there, Here is a patch to add public-key authentication support to internal ssh. Please note following points. * This patch expects that there exist private keys under System.getProperty("user.home")+java.io.File.separator + ".ssh" directory. There should be some wizard dialog to change this directory. * If there exist private keys named as 'id_dsa' or 'id_rsa', they will be loaded. Those keys must by in OpenSSH format. Putty has used its own format, but Putty can convert its private-key to in OpenSSH format. * If private key is encrypted, the given password will be used to decrypt it. There should be dialog to ask for the pass-phrase. Sincerely, -- Atsuhiko Yamanaka JCraft,Inc.
Created attachment 29064 [details] a patch to add public-key authentication support
Hi oyvindh, Today, I installed Debian GNU/Linux 3.1 "Sarge" and tried to get connection to its sshd(OpenSSH_3.8.1p1 Debian-8.sarge.4), but I could not reproduce your problem. Of course, I did not change any line in /etc/ssh/sshd_config. Is your problem reproducible? If so, I'm really interested in outputs from 'sshd -d -d -d'.
Created attachment 29239 [details] (open)sshd debug logs
As you can see I've uploaded typescripts using openssh and netbeans to connect to an openssh server started with "sshd -d -d -d". I've logged four different cases: PasswordAuthentication yes, using NetBeans PasswordAuthentication no, using NetBeans PasswordAuthentication yes, using OpenSSH PasswordAuthentication no, using OpenSSH
Hi oyvindh, Thank you for your help. You may know that, at first, ssh2 client will try 'none' auth request to know what kind of auth mehods are supported by remote sshd. Thanks to your 'netbeans-no.typescript', it seems jsch(ssh2 client included in netbeans) has successfully send the 'none' auth request, but failed to get supported list of auth methods. May I ask you to show me the output from OpenSSH's ssh command, 'ssh -v -v -v remotehost', where sshd on remotehost does not support password auth. I'm intrested in the line started with 'debug1: Authentications that can continue: '
Hi, The current implementation of 'Internal SSH client' included in javacvs module does not allow users to check the remote host key. It just accepts the given host key and does not do any check for it. It is terrible for man-in-the-middle attack, isn't it? The attached patch will change this behavior, as follows, - referring to ~/.ssh/known_hosts file and storing accepted host key into it. - showing a warning window if remote host key is not included in known_hosts file. Sincerely, -- Atsuhiko Yamanaka JCraft,Inc.
Created attachment 29304 [details] man-in-the-middle attack fix
Peter could, you evalute, should not we include all these patches in 5.5?
Hi oyvindh, I had misuderstood that your Netbeans had been applyed the following patch, http://javacvs.netbeans.org/source/browse/javacvs/cvsmodule/src/org/netbeans/mo dules/versioning/system/cvss/SSHConnection.java?r1=1.6&r2=1.7 , but it seems you are just using vanilla Netbeans 5.0. There is not woriking soultion on it. Please applying that patch by yourself or waiting for next release. I don't know if Netbeans 5.5 has included it or not.
Created attachment 29306 [details] Openssh connecting (ssh -v -v -v) to server with password auth disabled
Hi oyvindh, Thank you for feedback. According to that log, IMHO, by applying that patch, you must be able to get accesses to the remote host.
Hi, You know that I have written patches[1] for javacvs module to its ML, but are there possibilities that they will be accepted? If you don't have enough human resource, I'll contribute some more code to your project. Sincerely, -- Atsuhiko Yamanaka JCraft,Inc. Atsuhiko, I highly appreciate your attitude. The code is considered to be in high-resistance mode, no changes until they cause severe errors to end users. Peter could you judge, please? Does SSH fixes fit into critical fixes categpory. BTW, have you signed CA <http://www.netbeans.org/about/legal/index.html>?
FYI, I have signed on it and sent it[1] to NB_JCA@sun.com at 24th March. Sincerely, -- Atsuhiko Yamanaka JCraft,Inc.
>The code is considered to be in high-resistance mode, no changes until they >cause severe errors to end users. Is there a branch to continue efforts for developments?
Created attachment 29721 [details] Support for checking out without 'Remeber Password' option
Created attachment 29812 [details] Replace the previous patch with this.