Skip to content

Commit

Permalink
fixed #972 - ssh: only offer available auth methods after a rejected …
Browse files Browse the repository at this point in the history 
…public key offer
  • Loading branch information
@Eugeny
Eugeny committed Jul 25, 2024
1 parent 630d8e8 commit daacd55
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 14 deletions.
11 changes: 2 additions & 9 deletions warpgate-protocol-ssh/src/server/russh_handler.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ pub enum ServerHandlerEvent {
PtyRequest(ServerChannelId, PtyRequest, oneshot::Sender<()>),
ShellRequest(ServerChannelId, oneshot::Sender<bool>),
AuthPublicKey(Secret<String>, PublicKey, oneshot::Sender<Auth>),
AuthPublicKeyOffer(Secret<String>, PublicKey, oneshot::Sender<bool>),
AuthPublicKeyOffer(Secret<String>, PublicKey, oneshot::Sender<Auth>),
AuthPassword(Secret<String>, Secret<String>, oneshot::Sender<Auth>),
AuthKeyboardInteractive(
Secret<String>,
Expand Down Expand Up @@ -192,14 +192,7 @@ impl russh::server::Handler for ServerHandler {
tx,
))?;

let result = rx.await.unwrap_or(false);
Ok(if result {
Auth::Accept
} else {
Auth::Reject {
proceed_with_methods: None,
}
})
Ok(rx.await.unwrap_or(Auth::Reject { proceed_with_methods: None }))
}

async fn auth_publickey(
Expand Down
19 changes: 14 additions & 5 deletions warpgate-protocol-ssh/src/server/session.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1196,7 +1196,7 @@ impl ServerSession {
&mut self,
ssh_username: Secret<String>,
key: PublicKey,
) -> bool {
) -> russh::server::Auth {
let keys = self._get_public_keys_from_of(key);
let selector: AuthSelector = ssh_username.expose_secret().into();

Expand All @@ -1211,10 +1211,19 @@ impl ServerSession {
)
.await
{
return true;
return russh::server::Auth::Accept;
}
}
false

let selector: AuthSelector = ssh_username.expose_secret().into();
match self.try_auth(&selector, None).await {
Ok(AuthResult::Need(kinds)) => russh::server::Auth::Reject {
proceed_with_methods: Some(self.get_remaining_auth_methods(kinds)),
},
_ => russh::server::Auth::Reject {
proceed_with_methods: None,
},
}
}

async fn _auth_publickey(
Expand Down Expand Up @@ -1281,8 +1290,8 @@ impl ServerSession {
Ok(AuthResult::Rejected) => russh::server::Auth::Reject {
proceed_with_methods: None,
},
Ok(AuthResult::Need(_)) => russh::server::Auth::Reject {
proceed_with_methods: None,
Ok(AuthResult::Need(kinds)) => russh::server::Auth::Reject {
proceed_with_methods: Some(self.get_remaining_auth_methods(kinds)),
},
Err(error) => {
error!(?error, "Failed to verify credentials");
Expand Down

0 comments on commit daacd55

Please sign in to comment.