x/crypto/ssh: Client Auth: handle partial success correctly when processing userAuthFailure responses #23461

samiponkanen · 2018-01-17T12:36:26Z

GO ssh library client does not handle correctly the partial success flag in SSH_MSG_USERAUTH_FAILURE authentication responses.

There seems to be some code in client_auth.go to handle this case when public key authentication is used. Password and keyboard-interactive authentication used with the RetryableAuthMethod wrapper do not handle such authentication responses correctly. Also the bookkeeping of failed authentication methods in clientAuthenticate() does not work correctly when authentication steps complete with partial success.

What version of Go are you using (`go version`)?

go version go1.9.2 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (`go env`)?

GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"

What did you do?

Configure go ssh library client with RetryableAuthMethod(PasswordCallback) and PublicKeysCallback authentication methods. Use maxTries >= 2 with the RetryableAuthMethod.
Configure openssh server with multi-auth: /etc/ssh/sshd_config:
AuthenticationMethods password,publickey
Connect client to server. Return the correct password when PasswordCallback() is called.

What did you expect to see?

Expected to see first PasswordCallback() getting called once and then PublicKeysCallback() getting called.

What did you see instead?

PasswordCallback() is always called two times, regardless if the returned password is correct or incorrect.

This happens because retryableAuthMethod.auth() does not exit from the loop when underlying auth method fails with userAuthFailure but PartialSuccess set to true.

The text was updated successfully, but these errors were encountered:

gopherbot · 2018-01-17T13:01:13Z

Change https://golang.org/cl/88035 mentions this issue: ssh: fix support for partial success authentication responses in client

The existing client side authentication does not handle correctly the partial success flag in SSH_MSG_USERAUTH_FAILURE authentication responses. This commit fixes two problems in ssh library: 1) RetryableAuthMethod() now breaks out from the retry loop and returns when underlying auth method fails with partial success set to true. 2) Book keeping of tried (and failed) auth methods in clientAuthenticate() does not mark an auth method failed if it fails with partial success set to true. Fixes golang/go#23461 Change-Id: Ib2e1a1d54bfe2549496199bb2f66ebbce58d130d Reviewed-on: https://go-review.googlesource.com/88035 Reviewed-by: Han-Wen Nienhuys <hanwen@google.com> Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>

gopherbot added this to the Unreleased milestone Jan 17, 2018

gopherbot closed this as completed in golang/crypto@9334d73 Feb 8, 2018

golang locked and limited conversation to collaborators Feb 8, 2019

gopherbot added the FrozenDueToAge label Feb 8, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/crypto/ssh: Client Auth: handle partial success correctly when processing userAuthFailure responses #23461

x/crypto/ssh: Client Auth: handle partial success correctly when processing userAuthFailure responses #23461

samiponkanen commented Jan 17, 2018

gopherbot commented Jan 17, 2018

x/crypto/ssh: Client Auth: handle partial success correctly when processing userAuthFailure responses #23461

x/crypto/ssh: Client Auth: handle partial success correctly when processing userAuthFailure responses #23461

Comments

samiponkanen commented Jan 17, 2018

What version of Go are you using (go version)?

Does this issue reproduce with the latest release?

What operating system and processor architecture are you using (go env)?

What did you do?

What did you expect to see?

What did you see instead?

gopherbot commented Jan 17, 2018

What version of Go are you using (`go version`)?

What operating system and processor architecture are you using (`go env`)?