From d6f0a8c073c28df7d0a9b3c8f4206a8f72b341e4 Mon Sep 17 00:00:00 2001 From: Brad Fitzpatrick Date: Wed, 23 Mar 2022 14:41:31 -0700 Subject: ssh: add ServerConfig.NoClientAuthCallback It was possible to accept auth type "none" before, but not dynamically at runtime as a function of the ConnMetadata like the other auth types' callback hooks. Fixes golang/go#51994 Change-Id: I83ea80901d4977d8f78523e3d1e16e0a7df5b172 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/395314 Reviewed-by: Roland Shoemaker Run-TryBot: Brad Fitzpatrick TryBot-Result: Gopher Robot Reviewed-by: Julie Qiu --- ssh/server.go | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'ssh/server.go') diff --git a/ssh/server.go b/ssh/server.go index 70045bd..2260b20 100644 --- a/ssh/server.go +++ b/ssh/server.go @@ -68,8 +68,16 @@ type ServerConfig struct { // NoClientAuth is true if clients are allowed to connect without // authenticating. + // To determine NoClientAuth at runtime, set NoClientAuth to true + // and the optional NoClientAuthCallback to a non-nil value. NoClientAuth bool + // NoClientAuthCallback, if non-nil, is called when a user + // attempts to authenticate with auth method "none". + // NoClientAuth must also be set to true for this be used, or + // this func is unused. + NoClientAuthCallback func(ConnMetadata) (*Permissions, error) + // MaxAuthTries specifies the maximum number of authentication attempts // permitted per connection. If set to a negative number, the number of // attempts are unlimited. If set to zero, the number of attempts are limited @@ -455,7 +463,11 @@ userAuthLoop: switch userAuthReq.Method { case "none": if config.NoClientAuth { - authErr = nil + if config.NoClientAuthCallback != nil { + perms, authErr = config.NoClientAuthCallback(s) + } else { + authErr = nil + } } // allow initial attempt of 'none' without penalty -- cgit v1.3