Skip to content

fix(ssh): try none-auth before password/key to avoid leaking defaults#1582

Merged
chaliy merged 1 commit into
mainfrom
claude/fix-1574-ssh-auth-order
May 7, 2026
Merged

fix(ssh): try none-auth before password/key to avoid leaking defaults#1582
chaliy merged 1 commit into
mainfrom
claude/fix-1574-ssh-auth-order

Conversation

@chaliy
Copy link
Copy Markdown
Contributor

@chaliy chaliy commented May 7, 2026

Closes #1574.

Summary

RusshHandler::connect previously attempted public-key auth when a key was present and password auth when target.password was present, only falling back to authenticate_none when neither credential existed.

Because cmd.rs supplies SshConfig::default_password to user-selected SSH/SCP/SFTP targets, a malicious allowlisted server could harvest the configured default password even when it would have accepted none-auth.

Fix

  • Attempt authenticate_none first; return immediately on success so credentials are never offered.
  • Only fall back to publickey or password if the server rejects none.
  • Add regression test test_auth_order_none_first that asserts the call order in connect() (a runtime test would require a real SSH server).

Test plan

  • cargo test -p bashkit --features ssh --lib builtins::ssh::russh_handler (11/11 passing)
  • cargo fmt --all -- --check
  • cargo clippy -p bashkit --features ssh --all-targets -- -D warnings

Generated by Claude Code

@chaliy
fix(ssh): try none-auth before password/key to avoid leaking defaults
664ce88 
Previously, RusshHandler::connect attempted public-key auth when a key
was present and password auth when target.password was present, only
falling back to authenticate_none when neither credential existed.

Because cmd.rs supplies SshConfig::default_password to user-selected
SSH/SCP/SFTP targets, a malicious allowlisted server could harvest the
configured default password even when it would have accepted none-auth.

Attempt authenticate_none first; only fall back to publickey or
password if the server rejects none. Add a regression test that
asserts the call order in the connect() body.

Closes #1574
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 7, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 bashkit 664ce88 Commit Preview URL

Branch Preview URL		 May 07 2026, 03:59 AM

@chaliy chaliy merged commit a1b0737 into main May 7, 2026
34 checks passed
@chaliy chaliy deleted the claude/fix-1574-ssh-auth-order branch May 7, 2026 06:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

DeepSec: default SSH password is offered before none-auth

1 participant

@chaliy