Sftp ClientSession leak on authentication failure

[almailer]

Spring integration SFTP 6.4.5

Describe the bug

When creating SftpSession using DefaultSftpSessionFactory.getSession() I observe that an authentication failure results in the underlying ClientSession still being connected to the SFTP server.

To Reproduce

Observed with a real SFTP server and using SFTPInboundChannelAdapter but also seen in small test.

// Pseudocode
// Set up test SshServer
// Set up DefaultSftpSessionFactory with no password or public key to trigger Auth failure

try (SftpSession session = sessionFactory.getSession()) {
// Ignored code due to exception in getSession()
} finally {
Thread.sleep(1000);
// Connection is not closed
assertThat(testServer.getActiveSessions(), hasSize(1));
}

Expected behavior

The call to getSession should not leave unclosed resources when failing with an IOException.

Sample

See above, apologies is difficult to directly upload my test class.

[artembilan]

So, DefaultSftpSessionFactory fails like this:

java.lang.IllegalStateException: failed to create SFTP Session

	at org.springframework.integration.sftp.session.DefaultSftpSessionFactory.getSession(DefaultSftpSessionFactory.java:327)
	at org.springframework.integration.sftp.session.SftpSessionFactoryTests.noClientSessionLeakOnAuthError(SftpSessionFactoryTests.java:362)
	at java.base/java.lang.reflect.Method.invoke(Method.java:565)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1604)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1604)
Caused by: org.apache.sshd.common.SshException: No more authentication methods available
	at org.apache.sshd.common.future.AbstractSshFuture.verifyResult(AbstractSshFuture.java:141)
	at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:56)
	at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:35)
	at org.apache.sshd.common.future.VerifiableFuture.verify(VerifiableFuture.java:110)
	at org.apache.sshd.common.future.VerifiableFuture.verify(VerifiableFuture.java:96)
	at org.springframework.integration.sftp.session.DefaultSftpSessionFactory.initClientSession(DefaultSftpSessionFactory.java:354)
	at org.springframework.integration.sftp.session.DefaultSftpSessionFactory.getSession(DefaultSftpSessionFactory.java:317)
	... 4 more
Caused by: org.apache.sshd.common.SshException: No more authentication methods available
	at org.apache.sshd.client.session.ClientUserAuthService.tryNext(ClientUserAuthService.java:441)
	at org.apache.sshd.client.session.ClientUserAuthService.processUserAuth(ClientUserAuthService.java:390)
	at org.apache.sshd.client.session.ClientUserAuthService.process(ClientUserAuthService.java:270)
	at org.apache.sshd.common.session.helpers.CurrentService.process(CurrentService.java:109)
	at org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:625)
	at org.apache.sshd.common.session.helpers.AbstractSession.lambda$handleMessage$0(AbstractSession.java:546)
	at org.apache.sshd.common.util.threads.ThreadUtils.runAsInternal(ThreadUtils.java:68)
	at org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(AbstractSession.java:545)
	at org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSession.java:1729)
	at org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:506)
	at org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:64)
	at org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:409)
	at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:382)
	at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:377)
	at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Nio2CompletionHandler.java:38)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:74)
	at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:37)
	at java.base/sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:121)
	at java.base/sun.nio.ch.Invoker$1.run(Invoker.java:201)
	at java.base/sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:108)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1095)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:619)
	at java.base/java.lang.Thread.run(Thread.java:1447)

The line of the problem is in the initClientSession():

clientSession.auth().verify(verifyTimeout);

Indeed we fail to get a fresh session for our use, but the ClientSession is still in the SshServer management.

I wonder why question is for Spring Integration, but not Apache MINA itself: https://github.com/apache/mina-sshd.

This is really out of Spring Integration to properly manage those internal resources in the library.

Or do you know about some recommendation that we have to handle such a failure manually on the client side?

Looks like the fix is not too hard, though:

		try {
			clientSession.auth().verify(verifyTimeout);
		}
		catch (IOException ex) {
			clientSession.close();
			throw ex;
		}

But that is a bit awkward to do that when connection has failed.

We probably can go this workaround for time being, but let us know what you hear from Apache MINA itself on the matter!

[almailer]

Hi,

Thanks for the quick reply. I do see one difference between the MINA API and the SI one -

After the connect.verify is completed, the ClientSession resource is returned to DefaultSftpSessionFactory to manage. Hopefully an exception here does actually close the connection. I do see there were problems there in the past - https://github.com/apache/mina-sshd/blob/master/docs/changes/2.10.0.md

Assuming a clean connect, auth().verify(...) might fail but the ClientSession reference is still available to call close() on.

Unfortunately, for consumers of DefaultSftpSessionFactory.getSession() as soon as execution exits initClientSession() the reference to the ClientSession is lost and so it is not possible to close() it.

I also notice there is a simple client API which attempts to manage the closing of resources on exceptions. It seems designed to support the synchronous style used in DefaultSftpSessionFactory (https://github.com/apache/mina-sshd/blob/master/sshd-core/src/main/java/org/apache/sshd/client/SshClient.java#L974 ). Perhaps it does not mesh well with the other functionalties offered by DefaultSftpSessionFactory. It also seems to force a particular authentication method on the caller.

I asked to MINA for recommendations here: apache/mina-sshd#768

[artembilan]

Thanks for investigation!

Assuming a clean connect, auth().verify(...) might fail but the ClientSession reference is still available to call close() on.

This is a bit awkward decision to make client responsible for close even in case of connection exception.

We do have a delegate close from our SftpSession, but that is for normal code flow, not when we are not able even create an SftpSession.

I think for time being we will go the fix I have proposed above.
Feel free to open PR!

Treating this as bug and schedule it for 6.5.x and 6.4.x back-port.

[artembilan]

We got a confirmation from MINA that handling such an auth error on our side is the way to go.