Update of jsch version and generate-keypair API (#63)

* Updated jsch version and addressed issues with API change

Identified previous version of clj-ssh (0.5.15) had two
vulneratbilities listed in maven repository
(CVE-2017-5929 and CVE-2016-5726)

Vulnerabilities were addressed in newer versions of;
com.jcraft/jsch (0.1.55)
ch.qos.logback/logback-classic (1.4.7)

Newer version of jsch broke authentication with older
RSA private key header (fix is listed in readme)

Newer version of jsch lists setPassphrase method in
com.jcraft.jsch/KeyPair as deprecated.  Made changes to
ssh/generate-keypair to accomodate (and nil passphrase)

*Suggested TO DO, test of generate-keypair only operates
in memory and does not test writing out files.  Header identification
could then be tested to identify possible future jsch changes.

Test profile expanded to include newer versions of clojure.
All 31 tests pass with no failures / errors

* Fixed typo in profiles.clj

Minor typo error in clojure version fixed.

---------

Co-authored-by: Jason Brault <[email protected]>

Author: CACD-Dev

README.md

@@ -5,7 +5,8 @@
 
 # clj-ssh
 
-SSH in clojure.  Uses jsch.
+SSH in clojure.  Uses jsch. 
+(See section RSA Private Key format if using openssl generated keys)
 
 ## Usage
 
@@ -145,6 +146,42 @@ works with both a `jump-session` session and a single host session.
 [Annotated source](http:/hugoduncan.github.com/clj-ssh/0.5/annotated/uberdoc.html).
 [API](http:/hugoduncan.github.com/clj-ssh/0.5/api/index.html).
 
+## RSA Private Key Format and clj-ssh
+
+There have been changes to the header of RSA Private Keys.  With the upgrade of 
+com.jcraft/jsch to "0.1.55", the older openssh headers work with ssh will throw 
+an authentication failure.
+
+Older format
+```
+-----BEGIN OPENSSH PRIVATE KEY-----`
+```
+
+New RSA format
+```
+-----BEGIN RSA PRIVATE KEY-----
+```
+
+Old private keys can be easily converted to the new format, through the use of
+ssh-keygen's passphrase changing command.  This will change the file in place.
+```
+ssh-keygen -p -f privateKeyFile -m pem -P passphrase -N passphrase
+``` 
+The -m flag will force the file to pem format, fixing the header.  
+The -P (for old passphrase) and -N (new passphrase) can be ommitted to generate
+an interactive query instead.
+(enter "" at either -P or -N to identify no passphrase)
+
+### Note: clj-ssh key generation
+clj-ssh does have the ability to generate the public / private key pairs for both
+RSA and DSA (found in clj-ssh.ssh/generate-keypair).
+
+Unlike ssh-keygen, the RSA passphrase on the private key will be limited to   
+DES-EDE3-CBC DEK format to encrypt/decrypt the passphrase if created within clj-ssh.
+ssh-keygen will likely use what is standard in your operating system's crypto suite, 
+(e.g. AES-128-CBC) 
+
+
 ## FAQ
 
 Q: What does

ReleaseNotes.md

@@ -1,3 +1,17 @@
+## 0.5.16
+
+- Moved jsch to version 0.1.55 
+
+- Moved clojure tools.logging to 1.2.4
+
+- Moved logback-classic to 1.4.7
+
+- Changed ssh/generate-keypair to now match jsch API 
+  (and remove setPassphrase method which is listed as depricated)
+
+- Included section in readme.md regarding RSA header issues and 
+  compatibilities
+
 ## 0.5.14
 
 - Remove println from scp code

profiles.clj

@@ -1,12 +1,20 @@
 {:dev
- {:dependencies [[ch.qos.logback/logback-classic "1.0.0"]]
+ {:dependencies [[ch.qos.logback/logback-classic "1.4.7"]]
   :aliases {"test" ["with-profile"
-                    "clojure-1.4.0:clojure-1.5.1:clojure-1.6.0:clojure-1.7.0:clojure-1.8.0"
+                    "clojure-1.4.0:clojure-1.5.1:clojure-1.6.0:clojure-1.7.0:clojure-1.8.0:clojure-1.9.0:clojure-1.10.0:clojure-1.10.1:clojure-1.10.2:clojure-1.10.3:clojure-1.11.0:clojure-1.11.1"
                     "test"]}}
- :clojure-1.2.1 {:dependencies [[org.clojure/clojure "1.2.1"]]}
- :clojure-1.3.0 {:dependencies [[org.clojure/clojure "1.3.0"]]}
  :clojure-1.4.0 {:dependencies [[org.clojure/clojure "1.4.0"]]}
  :clojure-1.5.1 {:dependencies [[org.clojure/clojure "1.5.1"]]}
  :clojure-1.6.0 {:dependencies [[org.clojure/clojure "1.6.0"]]}
  :clojure-1.7.0 {:dependencies [[org.clojure/clojure "1.7.0"]]}
- :clojure-1.8.0 {:dependencies [[org.clojure/clojure "1.8.0"]]}}
+ :clojure-1.8.0 {:dependencies [[org.clojure/clojure "1.8.0"]]}
+ :clojure-1.9.0  {:dependencies [[org.clojure/clojure "1.9.0"]]} 
+ :clojure-1.10.0 {:dependencies [[org.clojure/clojure "1.10.0"]]}
+ :clojure-1.10.1 {:dependencies [[org.clojure/clojure "1.10.1"]]}
+ :clojure-1.10.2 {:dependencies [[org.clojure/clojure "1.10.2"]]}
+ :clojure-1.10.3 {:dependencies [[org.clojure/clojure "1.10.3"]]}
+ :clojure-1.11.0 {:dependencies [[org.clojure/clojure "1.11.0"]]}
+ :clojure-1.11.1 {:dependencies [[org.clojure/clojure "1.11.1"]]}
+ 
+ 
+ }

project.clj

@@ -1,18 +1,18 @@
 (def agentproxy-version "0.0.9")
 
-(defproject clj-commons/clj-ssh "0.5.15-SNAPSHOT"
+(defproject clj-commons/clj-ssh "0.5.16-SNAPSHOT"
   :description "Library for using SSH from clojure."
   :url "https://github.com/clj-commons/clj-ssh"
   :license {:name "Eclipse Public License"
             :url "http://www.eclipse.org/legal/epl-v10.html"}
-  :dependencies [[org.clojure/tools.logging "0.2.6"
+  :dependencies [[org.clojure/tools.logging "1.2.4"
                   :exclusions [org.clojure/clojure]]
                  [com.jcraft/jsch.agentproxy.usocket-jna ~agentproxy-version]
                  [com.jcraft/jsch.agentproxy.usocket-nc ~agentproxy-version]
                  [com.jcraft/jsch.agentproxy.sshagent ~agentproxy-version]
                  [com.jcraft/jsch.agentproxy.pageant ~agentproxy-version]
                  [com.jcraft/jsch.agentproxy.core ~agentproxy-version]
                  [com.jcraft/jsch.agentproxy.jsch ~agentproxy-version]
-                 [com.jcraft/jsch "0.1.53"]]
+                 [com.jcraft/jsch "0.1.55"]]
   :jvm-opts ["-Djava.awt.headless=true"]
   :profiles {:provided {:dependencies [[org.clojure/clojure "1.10.1"]]}})

src/clj_ssh/ssh.clj

@@ -1107,15 +1107,23 @@ cmd specifies a command to exec.  Valid commands are:
    using the :private-key-path and :public-key-path keys."
   [agent key-type key-size passphrase
    & {:keys [comment private-key-path public-key-path]}]
-  (let [keypair (KeyPair/genKeyPair agent (key-type key-types) key-size)]
-    (when passphrase
-      (.setPassphrase keypair passphrase))
+  (let [keypair (KeyPair/genKeyPair agent (key-type key-types) key-size)
+        write-pub (if (nil? comment)
+                    (fn [x] (.writePublicKey keypair x ""))
+                    (fn [x] (.writePublicKey keypair x comment)))
+        write-pvt (if (nil? passphrase)
+                    (fn [x] (.writePrivateKey keypair x))
+                    (fn [x] (.writePrivateKey keypair x
+                                              (if (= (type passphrase) String)
+                                                (.getBytes passphrase)
+                                                passphrase))))
+        ]
     (when public-key-path
-      (.writePublicKey keypair public-key-path comment))
+      (write-pub public-key-path))
     (when private-key-path
-      (.writePrivateKey keypair private-key-path))
+      (write-pvt private-key-path))
     (let [pub-baos (ByteArrayOutputStream.)
           pri-baos (ByteArrayOutputStream.)]
-      (.writePublicKey keypair pub-baos "")
-      (.writePrivateKey keypair pri-baos)
+      (write-pub pub-baos)
+      (write-pvt pri-baos)
       [(.toByteArray pri-baos) (.toByteArray pub-baos)])))