[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: server-side public key authentication

Subject: Re: server-side public key authentication
From: Mike Jones <mrjones@xxxxxxxxxx>
Reply-to: libssh@xxxxxxxxxx
Date: Mon, 20 Jan 2014 09:05:30 -0600
To: libssh@xxxxxxxxxx

On 1/19/2014 1:00 PM, Andreas Schneider wrote:
> On Saturday 18 January 2014 08:55:28 Mike Jones wrote:
>> I have managed to get an SSH server working within my application thanks
>> to this library (version 0.6.0) and the excellent example programs.
>> It uses public key authentication but I have one unanswered mystery
>> regarding the public key signature_state.
>>
>> The ssh_auth_pubkey_callback() is called with a signature_state of NONE.
>> If I return SSH_AUTH_SUCCESS, then the client accepts this and never
>> prompts for the private key passphrase.
>> If I return SSH_AUTH_DENIED, then the client stops, of course.
>> By process of elimination, I tried returning SSH_AUTH_PARTIAL.
>> Then the client prompts for the passphrase and I get a second callback
>> with a signature_state of VALID.
>>
>> So this works with only a cosmetic annoyance on the client side stating
>> "Authenticated with partial success." right before the passphrase prompt.
>>
>> But as I understand the documentation, SSH_AUTH_PARTIAL should mean that
>> additional methods of authentication are required (e.g. password,
>> GSSAPI, etc).
>> I only want the one method and would like it to return SUCCESS only with
>> a VALID signature_state.
>> Should there be another return value for ssh_auth_pubkey_callback() that
>> means "IGNORE"?
>> Or is there some other mechanism I am missing that would cause the
>> client side to ask for the passphrase?
>>
>> Thanks for any help and thank you for the awesome library!
> Hi,
>
> the client normally sends an unsigned pubkey to test if it is the valid one. 
> If it is then, you set the signature state to NONE and retrun AUTH SUCCESS. 
> Then the clients sends it signed, you verify it and set the state to VALID an 
> return success.
>
> See also http://tools.ietf.org/html/rfc4252#section-7
>
>
> 	-- andreas
>
>
>
Well, I was working on two different systems and one of them was working
correctly per your description but they both had the same application code.
A little trial-and-error revealed that I had a mess of different
versions of libssh on the one system.
That's where I had started just prior to the final release of 0.6.0 and
forgot to clean up first!
So the library I was running against was either 0.5.5 or 0.6.0rc2.
No matter, once I correctly installed 0.6.0 it behaves as expected now.

Thanks for helping a libssh newbie. :)

- Mike

Follow-Ups:
Re: server-side public key authentication	Andreas Schneider <asn@xxxxxxxxxxxxxx>

References:
server-side public key authentication	Mike Jones <mrjones@xxxxxxxxxx>
Re: server-side public key authentication	Andreas Schneider <asn@xxxxxxxxxxxxxx>

Archive administrator: postmaster@lists.cynapses.org