-
Notifications
You must be signed in to change notification settings - Fork 364
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
GH-533: Fix ClientUserAuthService iteration through methods
The ClientUserAuthService iterates through the configured authentication methods and tries them each in order, skipping those that the server did not list as acceptable. However, it only set the "server acceptable" on a partial success, or on the initial failure for the "none" request. This was wrong: if a pubkey auth fails and the server replies with SSH_MSG_USERAUTH_FAILURE and an acceptable methods list not containing "pubkey", then pubkey should not continue even if it had more keys available (or more signatures to try for an RSA key). This case actually occurs, for instance with an XFB.Gateway SSH server and RSA keys, if an rsa-sha2* signature is used. That server apparently knows only ssh-rsa signatures and consequently may reply with SSH_MSG_USERAUTH_FAILURE, partialSuccess=false, allowed=password. (Presumably if the key was right but the signature was unknown, and the user has only a single authorized key, and password auth is enabled server-side.) So reset the "server acceptable" list on any SSH_MSG_USERAUTH_FAILURE, even if partialSuccess = false. Check whether the current method is still allowed, and if not start over instead of continuing with the current method. A second problem was with the handling of multiple required authentication methods. A server may require multiple authentications, for instance first a pubkey auth, then a password auth, and then again a pubkey auth with another key. Such continuations are indicated by SSH_MSG_USERAUTH_FAILURE with partialSuccess = true and a list of methods to try next. For pubkey,password,pubkey the client would get a message SSH_MSG_USERAUTH_FAILURE partialSuccess=true allowed=password after the successful first pubkey authentication, and then a message SSH_MSG_USERAUTH_FAILURE partialSuccess=true allowed=pubkey after the successful password log-in. On that second use of pubkey auth, the previously successful key must not be re-tried, and there's also no point in re-trying previously rejected keys. Thus our code cannot simply create a new UserAuthPublicKey instance again as this would re-load the key iterator from scratch. Instead we must remember the pubkey auth instance once created and re-use that same instance on the second use, so that we keep on with any remaining keys that might be available. See also https://issues.apache.org/jira/browse/SSHD-1229, which may be related. Bug: #533
- Loading branch information
Showing
4 changed files
with
462 additions
and
39 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.