This release of the Maverick Synergy Java SSH API contains several improvements and bug fixes as we continue to test the possibilities of the API. This update is a Hotfix Branch release and is currently only available to our commercial Hotfix product subscribers.
Jadaptive will push these fixes to the open-source version at a future date according to our Open Source Release Policy.
Proxy Protocol Support
The server now supports version 1 of the Proxy Protocol. This feature supports the resolution of a client’s real IP addresses through a load balancer. Support is automatic if the load balancer uses the proxy protocol before SSH identification. When supplied, The API will replace the local and remote InetSocketAddress objects with unresolved versions containing the IP address and port provided by the load balancer.
Log4Shell in Java SSH Solutions
During this release cycle, the discovery of critical vulnerabilities in Log4J2 have been widely publicised. However, Maverick Synergy, with its independent logging solution, is not vulnerable to this attack. We have performed many tests to demonstrate and confirm this.
For those interested in how SSH could be exposing a risk, I wrote a brief article in our Journal outlining the possible attack points that would make a Java SSH API vulnerable.
This update includes the issues listed below. You can the up-to-date changelog with full history at here.
- Proxy protocol v1 is now supported for IP resolution through load balancers. Replaced remote address on Connection object with unresolved InetAddress containing the IP and port of the source connection.
- Further improvements to callback client and server.
- Added getSessionCount method to SshConnection.
- Added ExpiryConfiguration callback interface to ExpiringConcurrentHashMap to allow an external service to provide an expiry setting.
- VirtualShell now supports configuring the native command used when the user executes the ‘osshell’ command.
- Added ChannelFactoryListener interfaces to modify channels during creation by the DefaultServerChannelFactory.
- Require each channel to declare its channel type through the getChannelType method.
- SessionChannelNG does not delegate subsystem creation to a protected method, making it impossible to override behaviour.
- Default ping mechanism is now only used when idle time configuration is zero.
- Idle state mechanism incorrectly generates idle events every second after reaching the idle threshold.
- Failed to negotiate algorithm reports incorrect list of algorithms in exception text.
- addInterface in SshEngineContext should throw an error when an interface cannot start when the server is already running.
- Guard against NullPointerException in ComponentFactory configureSecurityLevel method.
- Close event from RootShell was not providing RootShell instance as an event source.
- Incorrect XOR of flag causes NPE in SftpFileAttributes setTimes methods.
- ConcurrentModificationExceptions discovered with local forwarding under load when implementation uses ChannelEventListeners for feedback.
- Fixes to VirtualShell “raw” mode to prevent duplicate reading of the session streams when a command needs direct access to the session.
- Fixed replacements when UnknownHostException captured in virtual shell welcome message.
- Wrapping SshConnection in SshClient can now optionally disable disconnection.
- Allow SshClientCommand runCommand execution from another class by making it public.
- Callback client reconnect interval is now fixed to interval provided rather than accumulative delay.
- Ensure channel without a data cache evaluates window space on channel data received.
- Use ConcurrentHashMap in ExecutorOperationSupport listener collection.
- A callback server should be identifiable by its identification string, e.g. SSH-2.0-CallbackServer