From b24bfe9d975f60b2afcbef08787024bc61e82dfb Mon Sep 17 00:00:00 2001 From: Tomas Cere Date: Mon, 10 Jul 2017 16:02:19 +0200 Subject: [PATCH] Use RSA for ssh server The bouncy-castle bump increased the default size of DSA to 2048 which some clients can choke on. We shouldn't use DSA anyhow so switch it up to 4096 RSA everywhere. Change-Id: I936eb240a534367fff550d25dcedc3de069c6654 Signed-off-by: Tomas Cere --- .../netconf/ssh/NetconfNorthboundSshServer.java | 7 ++++++- .../netconf/ssh/osgi/NetconfSSHActivator.java | 9 ++------- .../java/org/opendaylight/netconf/netty/SSHTest.java | 11 +++-------- .../netconf/ssh/authentication/SSHServerTest.java | 11 +++-------- .../netconf/test/tool/NetconfDeviceSimulator.java | 10 ++-------- 5 files changed, 16 insertions(+), 32 deletions(-) diff --git a/netconf/netconf-ssh/src/main/java/org/opendaylight/netconf/ssh/NetconfNorthboundSshServer.java b/netconf/netconf-ssh/src/main/java/org/opendaylight/netconf/ssh/NetconfNorthboundSshServer.java index f7b6a443d5..72878b1e6c 100644 --- a/netconf/netconf-ssh/src/main/java/org/opendaylight/netconf/ssh/NetconfNorthboundSshServer.java +++ b/netconf/netconf-ssh/src/main/java/org/opendaylight/netconf/ssh/NetconfNorthboundSshServer.java @@ -28,6 +28,10 @@ public class NetconfNorthboundSshServer { private static final Logger LOG = LoggerFactory.getLogger(NetconfNorthboundSshServer.class); + private static final String DEFAULT_PRIVATE_KEY_PATH = "./configuration/netconf-mdsal-nb/RSA.pk"; + private static final String DEFAULT_ALGORITHM = "RSA"; + private static final int DEFAULT_KEY_SIZE = 4096; + private final ChannelFuture localServer; private final SshProxyServer sshProxyServer; @@ -50,7 +54,8 @@ public class NetconfNorthboundSshServer { sshProxyServerConfigurationBuilder.setLocalAddress(localAddress); sshProxyServerConfigurationBuilder.setAuthenticator(authProvider); sshProxyServerConfigurationBuilder.setIdleTimeout(Integer.MAX_VALUE); - sshProxyServerConfigurationBuilder.setKeyPairProvider(new PEMGeneratorHostKeyProvider()); + sshProxyServerConfigurationBuilder.setKeyPairProvider(new PEMGeneratorHostKeyProvider(DEFAULT_PRIVATE_KEY_PATH, + DEFAULT_ALGORITHM, DEFAULT_KEY_SIZE)); localServer.addListener(future -> { if (future.isDone() && !future.isCancelled()) { diff --git a/netconf/netconf-ssh/src/main/java/org/opendaylight/netconf/ssh/osgi/NetconfSSHActivator.java b/netconf/netconf-ssh/src/main/java/org/opendaylight/netconf/ssh/osgi/NetconfSSHActivator.java index f31f7b95b1..e498b56e73 100644 --- a/netconf/netconf-ssh/src/main/java/org/opendaylight/netconf/ssh/osgi/NetconfSSHActivator.java +++ b/netconf/netconf-ssh/src/main/java/org/opendaylight/netconf/ssh/osgi/NetconfSSHActivator.java @@ -14,7 +14,6 @@ import java.net.InetSocketAddress; import java.util.concurrent.ExecutorService; import java.util.concurrent.Executors; import java.util.concurrent.ScheduledExecutorService; -import java.util.concurrent.ThreadFactory; import org.apache.sshd.common.util.ThreadUtils; import org.apache.sshd.server.keyprovider.PEMGeneratorHostKeyProvider; import org.opendaylight.netconf.ssh.SshProxyServer; @@ -44,12 +43,8 @@ public class NetconfSSHActivator implements BundleActivator { @Override public void start(final BundleContext bundleContext) throws IOException, InvalidSyntaxException { - minaTimerExecutor = Executors.newScheduledThreadPool(POOL_SIZE, new ThreadFactory() { - @Override - public Thread newThread(final Runnable runnable) { - return new Thread(runnable, "netconf-ssh-server-mina-timers"); - } - }); + minaTimerExecutor = Executors.newScheduledThreadPool(POOL_SIZE, + runnable -> new Thread(runnable, "netconf-ssh-server-mina-timers")); clientGroup = new NioEventLoopGroup(); nioExecutor = ThreadUtils.newFixedThreadPool("netconf-ssh-server-nio-group", POOL_SIZE); server = startSSHServer(bundleContext); diff --git a/netconf/netconf-ssh/src/test/java/org/opendaylight/netconf/netty/SSHTest.java b/netconf/netconf-ssh/src/test/java/org/opendaylight/netconf/netty/SSHTest.java index 3b1a695028..d9a0756978 100644 --- a/netconf/netconf-ssh/src/test/java/org/opendaylight/netconf/netty/SSHTest.java +++ b/netconf/netconf-ssh/src/test/java/org/opendaylight/netconf/netty/SSHTest.java @@ -30,7 +30,6 @@ import org.apache.sshd.server.keyprovider.PEMGeneratorHostKeyProvider; import org.junit.AfterClass; import org.junit.BeforeClass; import org.junit.Test; -import org.opendaylight.netconf.auth.AuthProvider; import org.opendaylight.netconf.netty.EchoClientHandler.State; import org.opendaylight.netconf.nettyutil.handler.ssh.authentication.LoginPassword; import org.opendaylight.netconf.nettyutil.handler.ssh.client.AsyncSshHandler; @@ -75,13 +74,9 @@ public class SSHTest { final SshProxyServer sshProxyServer = new SshProxyServer(minaTimerEx, nettyGroup, nioExec); sshProxyServer.bind(new SshProxyServerConfigurationBuilder() .setBindingAddress(addr).setLocalAddress(NetconfConfiguration.NETCONF_LOCAL_ADDRESS) - .setAuthenticator(new AuthProvider() { - @Override - public boolean authenticated(final String username, final String password) { - return true; - } - }) - .setKeyPairProvider(new PEMGeneratorHostKeyProvider(sshKeyPair.toPath().toAbsolutePath().toString())) + .setAuthenticator((username, password) -> true) + .setKeyPairProvider(new PEMGeneratorHostKeyProvider(sshKeyPair.toPath().toAbsolutePath().toString(), + "RSA", 4096)) .setIdleTimeout(Integer.MAX_VALUE).createSshProxyServerConfiguration()); final EchoClientHandler echoClientHandler = connectClient(addr); diff --git a/netconf/netconf-ssh/src/test/java/org/opendaylight/netconf/ssh/authentication/SSHServerTest.java b/netconf/netconf-ssh/src/test/java/org/opendaylight/netconf/ssh/authentication/SSHServerTest.java index 7af4598997..1d31f6b77a 100644 --- a/netconf/netconf-ssh/src/test/java/org/opendaylight/netconf/ssh/authentication/SSHServerTest.java +++ b/netconf/netconf-ssh/src/test/java/org/opendaylight/netconf/ssh/authentication/SSHServerTest.java @@ -30,7 +30,6 @@ import org.junit.Before; import org.junit.Test; import org.mockito.Mock; import org.mockito.MockitoAnnotations; -import org.opendaylight.netconf.auth.AuthProvider; import org.opendaylight.netconf.ssh.SshProxyServer; import org.opendaylight.netconf.ssh.SshProxyServerConfigurationBuilder; import org.opendaylight.netconf.util.osgi.NetconfConfiguration; @@ -74,13 +73,9 @@ public class SSHServerTest { server = new SshProxyServer(minaTimerEx, clientGroup, nioExec); server.bind(new SshProxyServerConfigurationBuilder() .setBindingAddress(addr).setLocalAddress(NetconfConfiguration.NETCONF_LOCAL_ADDRESS) - .setAuthenticator(new AuthProvider() { - @Override - public boolean authenticated(final String username, final String password) { - return true; - } - }) - .setKeyPairProvider(new PEMGeneratorHostKeyProvider(sshKeyPair.toPath().toAbsolutePath().toString())) + .setAuthenticator((username, password) -> true) + .setKeyPairProvider(new PEMGeneratorHostKeyProvider(sshKeyPair.toPath().toAbsolutePath().toString(), + "RSA", 4096)) .setIdleTimeout(Integer.MAX_VALUE).createSshProxyServerConfiguration()); LOG.info("SSH server started on {}", PORT); } diff --git a/netconf/tools/netconf-testtool/src/main/java/org/opendaylight/netconf/test/tool/NetconfDeviceSimulator.java b/netconf/tools/netconf-testtool/src/main/java/org/opendaylight/netconf/test/tool/NetconfDeviceSimulator.java index 6e01531dc7..53ca53ab70 100644 --- a/netconf/tools/netconf-testtool/src/main/java/org/opendaylight/netconf/test/tool/NetconfDeviceSimulator.java +++ b/netconf/tools/netconf-testtool/src/main/java/org/opendaylight/netconf/test/tool/NetconfDeviceSimulator.java @@ -43,7 +43,6 @@ import org.opendaylight.controller.config.util.capability.Capability; import org.opendaylight.controller.config.util.capability.YangModuleCapability; import org.opendaylight.netconf.api.monitoring.NetconfMonitoringService; import org.opendaylight.netconf.api.xml.XmlNetconfConstants; -import org.opendaylight.netconf.auth.AuthProvider; import org.opendaylight.netconf.impl.NetconfServerDispatcherImpl; import org.opendaylight.netconf.impl.NetconfServerSessionNegotiatorFactory; import org.opendaylight.netconf.impl.SessionIdProvider; @@ -263,12 +262,7 @@ public class NetconfDeviceSimulator implements Closeable { return new SshProxyServerConfigurationBuilder() .setBindingAddress(bindingAddress) .setLocalAddress(tcpLocalAddress) - .setAuthenticator(new AuthProvider() { - @Override - public boolean authenticated(final String username, final String password) { - return true; - } - }) + .setAuthenticator((username, password) -> true) .setKeyPairProvider(keyPairProvider) .setIdleTimeout(Integer.MAX_VALUE) .createSshProxyServerConfiguration(); @@ -277,7 +271,7 @@ public class NetconfDeviceSimulator implements Closeable { private PEMGeneratorHostKeyProvider getPemGeneratorHostKeyProvider() { try { final Path tempFile = Files.createTempFile("tempKeyNetconfTest", "suffix"); - return new PEMGeneratorHostKeyProvider(tempFile.toAbsolutePath().toString()); + return new PEMGeneratorHostKeyProvider(tempFile.toAbsolutePath().toString(), "RSA", 4096); } catch (final IOException e) { LOG.error("Unable to generate PEM key", e); throw new RuntimeException(e); -- 2.36.6