Fix SSH state machine for ssh-agent authentication #2248

Closed
wants to merge 1 commit into
from

Conversation

Projects
None yet
2 participants
@grembo

grembo commented Jan 18, 2018

In case an identity didn't match[0], the state machine would fail in
state SSH_AUTH_AGENT instead of progressing to the next identity in
ssh-agent. As a result, ssh-agent authentication only worked if the
identity required happened to be the first added to ssh-agent.

This was introduced as part of commit c4eb10e,
which stated that the "else" statement was required to prevent getting stuck
in state SSH_AUTH_AGENT. Given the state machine's logic and libssh2's
interface I couldn't see how this could happen or reproduce it and
I also couldn't find a more detailed description of the problem which
would explain a test case to reproduce the problem this was supposed to fix.

[0] libssh2_agent_userauth returning LIBSSH2_ERROR_AUTHENTICATION_FAILED

Michael Gmelin
Fix SSH state machine for ssh-agent authentication
In case an identity didn't match[0], the state machine would fail in
state SSH_AUTH_AGENT instead of progressing to the next identity in
ssh-agent. As a result, ssh-agent authentication only worked if the
identity required happened to be the first added to ssh-agent.

This was introduced as part of commit c4eb10e,
which stated that the "else" statement was required to prevent getting stuck
in state SSH_AUTH_AGENT. Given the state machine's logic and libssh2's
interface I couldn't see how this could happen or reproduce it and
I also couldn't find a more detailed description of the problem which
would explain a test case to reproduce the problem this was supposed to fix.

[0] libssh2_agent_userauth returning LIBSSH2_ERROR_AUTHENTICATION_FAILED
@grembo

This comment has been minimized.

Show comment Hide comment
@grembo

grembo Jan 18, 2018

How to reproduce:

  1. ssh-add -D # clear ssh-agent
  2. ssh-add ~/.ssh/wrongkey
  3. ssh-add ~/.ssh/rightkey
  4. curl sftp://myserver.example.com/file
  5. Perceive authentication fail
  6. ssh-add -D # clear ssh-agent
  7. ssh-add ~/.ssh/rightkey
  8. ssh-add ~/.ssh/wrongkey
  9. curl sftp://myserver.example.com/file
  10. Perceive authentication succeed

After applying the patch, 5. succeeds as expected.

grembo commented Jan 18, 2018

How to reproduce:

  1. ssh-add -D # clear ssh-agent
  2. ssh-add ~/.ssh/wrongkey
  3. ssh-add ~/.ssh/rightkey
  4. curl sftp://myserver.example.com/file
  5. Perceive authentication fail
  6. ssh-add -D # clear ssh-agent
  7. ssh-add ~/.ssh/rightkey
  8. ssh-add ~/.ssh/wrongkey
  9. curl sftp://myserver.example.com/file
  10. Perceive authentication succeed

After applying the patch, 5. succeeds as expected.

@bagder

bagder approved these changes Jan 18, 2018

@bagder bagder added the SCP/SFTP label Jan 18, 2018

@bagder bagder closed this in ddafd45 Jan 18, 2018

@bagder

This comment has been minimized.

Show comment Hide comment
@bagder

bagder Jan 18, 2018

Member

Thanks!

Member

bagder commented Jan 18, 2018

Thanks!

@AndiDog AndiDog referenced this pull request in hashicorp/vagrant Apr 13, 2018

Closed

Update embedded curl binary to latest version #9688

@lock lock bot locked as resolved and limited conversation to collaborators May 5, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.