Skip to content

GH-905 Implement authorized_keys from and expiry-time checks#907

Open
Unbbal wants to merge 1 commit into
apache:masterfrom
Unbbal:codex/gh-905-authorized-keys-options
Open

GH-905 Implement authorized_keys from and expiry-time checks#907
Unbbal wants to merge 1 commit into
apache:masterfrom
Unbbal:codex/gh-905-authorized-keys-options

Conversation

@Unbbal

@Unbbal Unbbal commented Jul 5, 2026

Copy link
Copy Markdown

This PR implements the missing authorized_keys option checks tracked in GH-905.

Changes:

  • Enforce the expiry-time option before accepting a matching authorized_keys entry.
  • Enforce the from option using the client address, with support for address/hostname patterns, negation, and CIDR ranges.
  • Prefer ServerSession#getClientAddress(), falling back to getRemoteAddress().
  • Reject invalid from patterns and invalid expiry-time values fail-closed.
  • Add unit tests for matching from, rejected from, CIDR, negation, invalid from, future expiry-time, and expired keys.

Tests:

  • .\mvnw.cmd -pl sshd-core -am -Dtest=AuthorizedKeyEntriesPublickeyAuthenticatorTest '-Dsurefire.failIfNoSpecifiedTests=false' test

@tomaswolf tomaswolf left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot for this contribution! Looks good; the test could be simplified.

return gen.generateKeyPair();
}

private static ServerSession session(InetSocketAddress remote) {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use Mockito for this. Simply

    private static ServerSession session(InetSocketAddress remote) {
        ServerSession session = Mockito.mock(ServerSession.class);
        Mockito.when(session.getClientAddress()).thenReturn(remote);
        Mockito.when(session.getRemoteAddress()).thenReturn(remote);
        return session;
    }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants