New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix SSH state machine for ssh-agent authentication #2248

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
2 participants
@grembo

grembo commented Jan 18, 2018

In case an identity didn't match[0], the state machine would fail in
state SSH_AUTH_AGENT instead of progressing to the next identity in
ssh-agent. As a result, ssh-agent authentication only worked if the
identity required happened to be the first added to ssh-agent.

This was introduced as part of commit c4eb10e,
which stated that the "else" statement was required to prevent getting stuck
in state SSH_AUTH_AGENT. Given the state machine's logic and libssh2's
interface I couldn't see how this could happen or reproduce it and
I also couldn't find a more detailed description of the problem which
would explain a test case to reproduce the problem this was supposed to fix.

[0] libssh2_agent_userauth returning LIBSSH2_ERROR_AUTHENTICATION_FAILED

Michael Gmelin
Fix SSH state machine for ssh-agent authentication
In case an identity didn't match[0], the state machine would fail in
state SSH_AUTH_AGENT instead of progressing to the next identity in
ssh-agent. As a result, ssh-agent authentication only worked if the
identity required happened to be the first added to ssh-agent.

This was introduced as part of commit c4eb10e,
which stated that the "else" statement was required to prevent getting stuck
in state SSH_AUTH_AGENT. Given the state machine's logic and libssh2's
interface I couldn't see how this could happen or reproduce it and
I also couldn't find a more detailed description of the problem which
would explain a test case to reproduce the problem this was supposed to fix.

[0] libssh2_agent_userauth returning LIBSSH2_ERROR_AUTHENTICATION_FAILED
@grembo

This comment has been minimized.

grembo commented Jan 18, 2018

How to reproduce:

  1. ssh-add -D # clear ssh-agent
  2. ssh-add ~/.ssh/wrongkey
  3. ssh-add ~/.ssh/rightkey
  4. curl sftp://myserver.example.com/file
  5. Perceive authentication fail
  6. ssh-add -D # clear ssh-agent
  7. ssh-add ~/.ssh/rightkey
  8. ssh-add ~/.ssh/wrongkey
  9. curl sftp://myserver.example.com/file
  10. Perceive authentication succeed

After applying the patch, 5. succeeds as expected.

@bagder

bagder approved these changes Jan 18, 2018

@bagder bagder added the SCP/SFTP label Jan 18, 2018

@bagder bagder closed this in ddafd45 Jan 18, 2018

@bagder

This comment has been minimized.

Member

bagder commented Jan 18, 2018

Thanks!

@lock lock bot locked as resolved and limited conversation to collaborators May 5, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.