Re: [JSch-users] Getting "Auth fail" after 7 successful connections.
Status: Alpha
Brought to you by:
ymnk
From: Eric M. <me...@cs...> - 2006-05-22 13:14:10
|
Hi, It's a start but doesn't really address the concern. If these are the only changes to JSch, the UserInfo interface still requires the passwords and passphrases to be returned as a Strings, hence the security concerns. I really like Martin's idea of a separate interface and think that is the way to go. Split out all methods that won't change from UserInfo into a new User interface. Extend the User interface by UserInfo and UserInfo2 and then deprecate the UserInfo interface. Here is a list of what I would like to see changed in JSch in regard to the Strings * all internal storage of the passwords or passphrases from Strings to byte[] * all methods requiring password or passphrases as Strings be overridden to also accept char[] * add a UseInfo2 getPassword, getPassphrase returning char[] * add a UIKeyboardInteractive2 promptKeyboardInteractive returning char[][] instead of String[] On another note, I've implemented most of these changes my local copy of JSch (working on the separate interfaces now) but merging them back would take some work since, as you know, I've formatted the source with Jalopy http://sourceforge.net/projects/jalopy In the interests of making the JSch source more hacker friendly, you should use some set of formatting rules and publish them. If you were to define a coding standard for JSch, I would conform to it and then considering these changes would be much simpler. I would highly recommend Jalopy because you could post your formatting rules making it much easier to conform. Eric "The past is a guidepost, not a hitching post." - L. Thomas Holcroft On May 22, 2006, at 5:43 AM, Atsuhiko Yamanaka wrote: > Hi, > > +-From: "Oberhuber, Martin" <Mar...@wi...> -- > |_Date: Mon, 22 May 2006 11:14:17 +0200 _______________________ > | > |I'd very much like to see the the char[] change for the > |password/passphrase in Jsch, since i think that security is a > really big > |issue. > > I have modified the code[1] to add > * Session.setPassword(byte[]) and > * JSch.addIdentity(String identity, byte[] passphrase), > are they not enogh? > > [1] http://www.jcraft.com/jsch/jsch-0.1.29-rc4.zip > > > Sincerely, > -- > Atsuhiko Yamanaka > JCraft,Inc. > 1-14-20 HONCHO AOBA-KU, > SENDAI, MIYAGI 980-0014 Japan. > Tel +81-22-723-2150 > +1-415-578-3454 > Fax +81-22-224-8773 > Skype callto://jcraft/ > > > ------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, > security? > Get stuff done quickly with pre-integrated technology to make your > job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > JSch-users mailing list > JSc...@li... > https://lists.sourceforge.net/lists/listinfo/jsch-users |