[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: server-side public key authentication


On Monday 20 January 2014 09:05:30 Mike Jones wrote:
> On 1/19/2014 1:00 PM, Andreas Schneider wrote:
> > On Saturday 18 January 2014 08:55:28 Mike Jones wrote:
> >> I have managed to get an SSH server working within my application thanks
> >> to this library (version 0.6.0) and the excellent example programs.
> >> It uses public key authentication but I have one unanswered mystery
> >> regarding the public key signature_state.
> >> 
> >> The ssh_auth_pubkey_callback() is called with a signature_state of NONE.
> >> If I return SSH_AUTH_SUCCESS, then the client accepts this and never
> >> prompts for the private key passphrase.
> >> If I return SSH_AUTH_DENIED, then the client stops, of course.
> >> By process of elimination, I tried returning SSH_AUTH_PARTIAL.
> >> Then the client prompts for the passphrase and I get a second callback
> >> with a signature_state of VALID.
> >> 
> >> So this works with only a cosmetic annoyance on the client side stating
> >> "Authenticated with partial success." right before the passphrase prompt.
> >> 
> >> But as I understand the documentation, SSH_AUTH_PARTIAL should mean that
> >> additional methods of authentication are required (e.g. password,
> >> GSSAPI, etc).
> >> I only want the one method and would like it to return SUCCESS only with
> >> a VALID signature_state.
> >> Should there be another return value for ssh_auth_pubkey_callback() that
> >> means "IGNORE"?
> >> Or is there some other mechanism I am missing that would cause the
> >> client side to ask for the passphrase?
> >> 
> >> Thanks for any help and thank you for the awesome library!
> > 
> > Hi,
> > 
> > the client normally sends an unsigned pubkey to test if it is the valid
> > one. If it is then, you set the signature state to NONE and retrun AUTH
> > SUCCESS. Then the clients sends it signed, you verify it and set the
> > state to VALID an return success.
> > 
> > See also http://tools.ietf.org/html/rfc4252#section-7
> > 
> > 	-- andreas
> 
> Well, I was working on two different systems and one of them was working
> correctly per your description but they both had the same application code.
> A little trial-and-error revealed that I had a mess of different
> versions of libssh on the one system.
> That's where I had started just prior to the final release of 0.6.0 and
> forgot to clean up first!
> So the library I was running against was either 0.5.5 or 0.6.0rc2.
> No matter, once I correctly installed 0.6.0 it behaves as expected now.
> 
> Thanks for helping a libssh newbie. :)

You're welcome :)

-- 
Andreas Schneider                   GPG-ID: CC014E3D
www.cryptomilk.org                asn@xxxxxxxxxxxxxx


References:
server-side public key authenticationMike Jones <mrjones@xxxxxxxxxx>
Re: server-side public key authenticationAndreas Schneider <asn@xxxxxxxxxxxxxx>
Re: server-side public key authenticationMike Jones <mrjones@xxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org