[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: server-side public key authentication
[Thread Prev] | [Thread Next]
- Subject: Re: server-side public key authentication
- From: Andreas Schneider <asn@xxxxxxxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Tue, 21 Jan 2014 09:11:57 +0100
- To: libssh@xxxxxxxxxx
On Monday 20 January 2014 09:05:30 Mike Jones wrote: > On 1/19/2014 1:00 PM, Andreas Schneider wrote: > > On Saturday 18 January 2014 08:55:28 Mike Jones wrote: > >> I have managed to get an SSH server working within my application thanks > >> to this library (version 0.6.0) and the excellent example programs. > >> It uses public key authentication but I have one unanswered mystery > >> regarding the public key signature_state. > >> > >> The ssh_auth_pubkey_callback() is called with a signature_state of NONE. > >> If I return SSH_AUTH_SUCCESS, then the client accepts this and never > >> prompts for the private key passphrase. > >> If I return SSH_AUTH_DENIED, then the client stops, of course. > >> By process of elimination, I tried returning SSH_AUTH_PARTIAL. > >> Then the client prompts for the passphrase and I get a second callback > >> with a signature_state of VALID. > >> > >> So this works with only a cosmetic annoyance on the client side stating > >> "Authenticated with partial success." right before the passphrase prompt. > >> > >> But as I understand the documentation, SSH_AUTH_PARTIAL should mean that > >> additional methods of authentication are required (e.g. password, > >> GSSAPI, etc). > >> I only want the one method and would like it to return SUCCESS only with > >> a VALID signature_state. > >> Should there be another return value for ssh_auth_pubkey_callback() that > >> means "IGNORE"? > >> Or is there some other mechanism I am missing that would cause the > >> client side to ask for the passphrase? > >> > >> Thanks for any help and thank you for the awesome library! > > > > Hi, > > > > the client normally sends an unsigned pubkey to test if it is the valid > > one. If it is then, you set the signature state to NONE and retrun AUTH > > SUCCESS. Then the clients sends it signed, you verify it and set the > > state to VALID an return success. > > > > See also http://tools.ietf.org/html/rfc4252#section-7 > > > > -- andreas > > Well, I was working on two different systems and one of them was working > correctly per your description but they both had the same application code. > A little trial-and-error revealed that I had a mess of different > versions of libssh on the one system. > That's where I had started just prior to the final release of 0.6.0 and > forgot to clean up first! > So the library I was running against was either 0.5.5 or 0.6.0rc2. > No matter, once I correctly installed 0.6.0 it behaves as expected now. > > Thanks for helping a libssh newbie. :) You're welcome :) -- Andreas Schneider GPG-ID: CC014E3D www.cryptomilk.org asn@xxxxxxxxxxxxxx
| server-side public key authentication | Mike Jones <mrjones@xxxxxxxxxx> |
| Re: server-side public key authentication | Andreas Schneider <asn@xxxxxxxxxxxxxx> |
| Re: server-side public key authentication | Mike Jones <mrjones@xxxxxxxxxx> |