diff options
| author | samiponkanen <sami.ponkanen@gmail.com> | 2024-10-16 01:53:41 +0000 |
|---|---|---|
| committer | Gopher Robot <gobot@golang.org> | 2024-10-16 07:16:19 +0000 |
| commit | 7cfb9161e8d828fd6d9f34560e78460435b63503 (patch) | |
| tree | f867480ffcf998cb2e661c2c1a6c20609ebb7b5b /ssh/client_auth.go | |
| parent | b61b08db44b86a0fb8510036a4655fc4a3d37cd3 (diff) | |
| download | go-x-crypto-7cfb9161e8d828fd6d9f34560e78460435b63503.tar.xz | |
ssh: return unexpected msg error when server fails keyboard-interactive auth early
Seems the OpenSSH server running on windows fails keyboard-interactive
auth this way without sending any prompt to client. In such case the
golang ssh client should not retry keyboard-interactive auth when the
auth method is wrapped in a RetryableAuthMethod(). Rather the auth
method should be immediately marked as tried&failed and the client auth
process should move on to next available and acceptable auth method.
Fixes golang/go#67855
Change-Id: I6c64ae58ff8325774e37af716601b112f8833d8f
GitHub-Last-Rev: 7fafc4d1c81284b31000d7d6ccadd934dda26d24
GitHub-Pull-Request: golang/crypto#297
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/590956
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Auto-Submit: Nicola Murino <nicola.murino@gmail.com>
Reviewed-by: Nicola Murino <nicola.murino@gmail.com>
Diffstat (limited to 'ssh/client_auth.go')
| -rw-r--r-- | ssh/client_auth.go | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/ssh/client_auth.go b/ssh/client_auth.go index b939610..b86dde1 100644 --- a/ssh/client_auth.go +++ b/ssh/client_auth.go @@ -555,6 +555,7 @@ func (cb KeyboardInteractiveChallenge) auth(session []byte, user string, c packe } gotMsgExtInfo := false + gotUserAuthInfoRequest := false for { packet, err := c.readPacket() if err != nil { @@ -585,6 +586,9 @@ func (cb KeyboardInteractiveChallenge) auth(session []byte, user string, c packe if msg.PartialSuccess { return authPartialSuccess, msg.Methods, nil } + if !gotUserAuthInfoRequest { + return authFailure, msg.Methods, unexpectedMessageError(msgUserAuthInfoRequest, packet[0]) + } return authFailure, msg.Methods, nil case msgUserAuthSuccess: return authSuccess, nil, nil @@ -596,6 +600,7 @@ func (cb KeyboardInteractiveChallenge) auth(session []byte, user string, c packe if err := Unmarshal(packet, &msg); err != nil { return authFailure, nil, err } + gotUserAuthInfoRequest = true // Manually unpack the prompt/echo pairs. rest := msg.Prompts |