warp-tech/warpgate
1
1
Fork 0
mirror of https://github.com/warp-tech/warpgate.git synced 2024-09-20 06:46:17 +08:00
Code Issues Packages Projects Releases Wiki Activity

fixed #972 - ssh: only offer available auth methods after a rejected public key offer

Browse source
This commit is contained in:
Eugene 2024-07-25 12:11:25 +02:00
parent 630d8e8e3d
commit daacd55d25
No known key found for this signature in database
GPG key ID: 5896FCBBDD1CF4F4
2 changed files with 16 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
warpgate-protocol-ssh/src/server/russh_handler.rs
View file

@ -29,7 +29,7 @@ pub enum ServerHandlerEvent {
PtyRequest(ServerChannelId, PtyRequest, oneshot::Sender<()>),
ShellRequest(ServerChannelId, oneshot::Sender<bool>),
AuthPublicKey(Secret<String>, PublicKey, oneshot::Sender<Auth>),
AuthPublicKeyOffer(Secret<String>, PublicKey, oneshot::Sender<bool>),
AuthPublicKeyOffer(Secret<String>, PublicKey, oneshot::Sender<Auth>),
AuthPassword(Secret<String>, Secret<String>, oneshot::Sender<Auth>),
AuthKeyboardInteractive(
Secret<String>,
@ -192,14 +192,7 @@ impl russh::server::Handler for ServerHandler {
tx,
))?;
let result = rx.await.unwrap_or(false);
Ok(if result {
Auth::Accept
} else {
Auth::Reject {
proceed_with_methods: None,
}
})
Ok(rx.await.unwrap_or(Auth::Reject { proceed_with_methods: None }))
}
async fn auth_publickey(

19
warpgate-protocol-ssh/src/server/session.rs
View file

@ -1196,7 +1196,7 @@ impl ServerSession {
&mut self,
ssh_username: Secret<String>,
key: PublicKey,
) -> bool {
) -> russh::server::Auth {
let keys = self._get_public_keys_from_of(key);
let selector: AuthSelector = ssh_username.expose_secret().into();
@ -1211,10 +1211,19 @@ impl ServerSession {
)
.await
{
return true;
return russh::server::Auth::Accept;
}
}
false
let selector: AuthSelector = ssh_username.expose_secret().into();
match self.try_auth(&selector, None).await {
Ok(AuthResult::Need(kinds)) => russh::server::Auth::Reject {
proceed_with_methods: Some(self.get_remaining_auth_methods(kinds)),
},
_ => russh::server::Auth::Reject {
proceed_with_methods: None,
},
}
}
async fn _auth_publickey(
@ -1281,8 +1290,8 @@ impl ServerSession {
Ok(AuthResult::Rejected) => russh::server::Auth::Reject {
proceed_with_methods: None,
},
Ok(AuthResult::Need(_)) => russh::server::Auth::Reject {
proceed_with_methods: None,
Ok(AuthResult::Need(kinds)) => russh::server::Auth::Reject {
proceed_with_methods: Some(self.get_remaining_auth_methods(kinds)),
},
Err(error) => {
error!(?error, "Failed to verify credentials");