Uploaded image for project: 'Spring Integration'
  1. Spring Integration
  2. INT-3796

SFTP blindly accepts new keys and key changes

    XMLWordPrintable

    Details

      Description

      The DefaultSftpSessionFactory creates an OptimisticUserInfoImpl when creating a new com.jcraft.jsch.Session in the private initJschSession() method.
      The OptimisticUserInfoImpl returns true to UserInfo.promptYesNo() which is called by Jsch classes when an unknown host is encountered or there is a key change for a known host.

      Accepting all host keys and key changes defeats the security benefits offered by SSH.

      I would like to expose UserInfo as a property on DefaultSftpSessionFactory to allow client code to set it to something more secure. E.g. an implementation that logs an error and returns false.

      I will try to get some replacement code and a test case in place on a fork, but I'm not sure how you want to handle the default behaviour: Securing this component by default would be a breaking change.

        Attachments

          Activity

            People

            Assignee:
            grussell Gary Russell
            Reporter:
            itchyknee Pat Turner
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: