eclipse.platform

eclipse.platform copied to clipboard

Suggestion

The JSch library seems to be abandoned, the last uploads to source forge and Maven-Central were in Nov 2018. There is a fork available at https://github.com/mwiede/jsch, which regularly publishes updates. Nevertheless I think it would be good to get rid of outdated dependencies especially in security sensitive areas (I'm surprised there is not CVE listed yet).

The only user in the Eclipse SDK seems to be org.eclipse.jsch.core and org.eclipse.jsch.ui, which seem to provide the ability to create password protected SSH connections, but I have not yet analyzed its full usage and capabilities.

Depending on the usages I see two options for

1. Deprecate this Plugin for removal without replacement
2. Replace it by an API not bound to a specific third party library and e.g. use MINA SSHD under the hood (which also has proper OSGi metadata so a simplification for SimRel-Orbit). This API would then probably be under another package name (in which ever plugin it is).

Community

• [x] I understand suggesting an enhancement doesn't mandate anyone to implement it. Other contributors may consider this suggestion, or not, at their own convenience. The most efficient way to get it fixed is that I implement it myself and contribute it back as a good quality patch to the project.

I also noticed that org.eclipse.jsch.tests is basically empty and does not even have a reference to org.eclipse.jsch.core/ui...

Last time I asked about jsch upgrade on jgit they told that jgit no longer support this but uses MINA SSHD instead.

There seem to be quite a few dependencies on this in SimRel:

@tomaswolf You probably know this best from the jgit side, so can you give advice, please?

JGit can still use JSch. Bundle org.eclipse.jgit.ssh.jsch still exists, but we don't actively maintain it anymore. Within Eclipse, JGit as used via EGit exclusively uses Apache MINA sshd via bundle org.eclipse.jgit.ssh.apache.

EGit has some bridge code that ties some of the JSch preferences defined via org.eclipse.jsch.ui (which provides the General→Network Connections→SSH2 preference dialog) together with the Apache MINA sshd framework. IIRC that "dependency" in EGit is completely optional; there is no code dependency; instead EGit reads the appropriate preferences directly. Note that the SSH key generation parts from thet SSH2 preference page are outdated; there should be no option to generate DSA keys anymore, but there should be options for ed25519 and possibly ECDSA keys.

However, as Ed had pointed out, there are other users who depend on JSch and org.eclipse.jsch.*.

More comments about replacing JSch by Apache MINA sshd can be found in bug 540727. The integration in JGit provides a stable API abstraction to encapsulate upstream API breaks, but that stable API is tailored towards the usage in JGit. It may not be appropriate for general-purpose use. Since the comments in bug 540727 were written, the JGit implementation has also advanced and added support for SSH agents and PKCS11 hardware security modules (like YubiKey PIV). And we try to keep current and regularly update to new upstream versions; currently JGit is using Apache MINA sshd 2.11.0.

Some more technical things:

The JSch implementation has a number of bugs. Some of those bugs still exist in the mwiede fork. Concurrency and thread handling in JSch is fundamentally broken.

The Apache MINA APIs are unstable (may change between minor versions), incredibly baroque, and messy. The implementation is rather messy, too. But at least it is maintained (not many very active committers, though), and if you find a bug and provide a PR, it will be considered. Basically everything is "public" API, which explains why the API cannot be stable, but it allows users to override/customize just about everything. (It also makes it very easy to break things.)

One notable missing feature in Apache MINA sshd is client-side support for connecting through a SOCKS or HTTP CONNECT proxy. JGit has customized this and provides a way to do so in its org.eclipse.jgit.ssh.apache bundle. This implementation could theoretically be ported upstream.

jsch uses ssh connection under the covers, which uses less secure ssh-rsa signature algorithm, and the module does not support newer and more secure signature algorithm such as rsa-sha2-512.

moreover, https://www.openssh.com/txt/release-8.2 has published future deprecation on sha-1 based hashing, and its a matter of time before a CVE is published?