[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] server: fix pubkey reply for key probes


Hi,

Attached is a patch which fixes a response bug in the handler for the
'ssh_auth_pubkey_callback', for the case of public key probes.

 With this change I am able to process an initial public key probe and
then subsequent key signature validation using the server callbacks
together with 'ssh_event_dopoll'.


-Jon
From 12f2d3b9fe28a6307d60e6bf33ff0bd9358ea286 Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@xxxxxxxxxxxxx>
Date: Sat, 2 Nov 2013 01:34:46 -0700
Subject: [PATCH] server: fix pubkey reply for key probes

Per RFC 4252, it is required to send back only one of either
SSH_MSG_USERAUTH_PK_OK or SSH_MSG_USERAUTH_FAILURE for public
key probes.

Update the handling of 'auth_pubkey_function' to send back PK_OK
instead of SSH_MSG_USERAUTH_SUCCESS for the case that the state
of the message at hand is SSH_PUBLICKEY_STATE_NONE.

With this change, it is now possible to process an initial key probe
and then subsequent signature validation using the server callbacks.
---
 src/messages.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/messages.c b/src/messages.c
index 73f3997..c8e0e09 100644
--- a/src/messages.c
+++ b/src/messages.c
@@ -120,10 +120,18 @@ static int ssh_execute_server_request(ssh_session session, ssh_message msg)
                        msg->auth_request.username, msg->auth_request.pubkey,
                        msg->auth_request.signature_state,
                        session->server_callbacks->userdata);
-               if (rc == SSH_AUTH_SUCCESS || rc == SSH_AUTH_PARTIAL){
+               if (msg->auth_request.signature_state != SSH_PUBLICKEY_STATE_NONE) {
+                 if (rc == SSH_AUTH_SUCCESS || rc == SSH_AUTH_PARTIAL) {
                    ssh_message_auth_reply_success(msg, rc == SSH_AUTH_PARTIAL);
+                 } else {
+                   ssh_message_reply_default(msg);
+                 }
                } else {
+                 if (rc == SSH_AUTH_SUCCESS) {
+                   ssh_message_auth_reply_pk_ok_simple(msg);
+                 } else {
                    ssh_message_reply_default(msg);
+                 }
                }
 
                return SSH_OK;
-- 
1.8.4.21.g992c386


Follow-Ups:
Re: [PATCH] server: fix pubkey reply for key probesAndreas Schneider <asn@xxxxxxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org