[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: server-side public key authentication


On Saturday 18 January 2014 08:55:28 Mike Jones wrote:
> I have managed to get an SSH server working within my application thanks
> to this library (version 0.6.0) and the excellent example programs.
> It uses public key authentication but I have one unanswered mystery
> regarding the public key signature_state.
> 
> The ssh_auth_pubkey_callback() is called with a signature_state of NONE.
> If I return SSH_AUTH_SUCCESS, then the client accepts this and never
> prompts for the private key passphrase.
> If I return SSH_AUTH_DENIED, then the client stops, of course.
> By process of elimination, I tried returning SSH_AUTH_PARTIAL.
> Then the client prompts for the passphrase and I get a second callback
> with a signature_state of VALID.
> 
> So this works with only a cosmetic annoyance on the client side stating
> "Authenticated with partial success." right before the passphrase prompt.
> 
> But as I understand the documentation, SSH_AUTH_PARTIAL should mean that
> additional methods of authentication are required (e.g. password,
> GSSAPI, etc).
> I only want the one method and would like it to return SUCCESS only with
> a VALID signature_state.
> Should there be another return value for ssh_auth_pubkey_callback() that
> means "IGNORE"?
> Or is there some other mechanism I am missing that would cause the
> client side to ask for the passphrase?
> 
> Thanks for any help and thank you for the awesome library!

Hi,

the client normally sends an unsigned pubkey to test if it is the valid one. 
If it is then, you set the signature state to NONE and retrun AUTH SUCCESS. 
Then the clients sends it signed, you verify it and set the state to VALID an 
return success.

See also http://tools.ietf.org/html/rfc4252#section-7


	-- andreas



Follow-Ups:
Re: server-side public key authenticationMike Jones <mrjones@xxxxxxxxxx>
References:
server-side public key authenticationMike Jones <mrjones@xxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org