added Handler::auth_publickey_offered

Eugeny · Sep 27, 2023 · df34137 · df34137
1 parent fe3717f
commit df34137
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 4 deletions.
diff --git a/russh/src/server/encrypted.rs b/russh/src/server/encrypted.rs
@@ -407,7 +407,7 @@ impl Encrypted {
                     } else if auth_user.is_empty() {
                         auth_user.clear();
                         auth_user.push_str(user);
-                        let (h, auth) = handler.auth_publickey(user, &pubkey).await?;
+                        let (h, auth) = handler.auth_publickey_offered(user, &pubkey).await?;
                         handler = h;
                         auth == Auth::Accept
                     } else {
@@ -425,8 +425,23 @@ impl Encrypted {
                             pubkey.verify_client_auth(&buf, sig)
                         }) {
                             debug!("signature verified");
-                            server_auth_request_success(&mut self.write);
-                            self.state = EncryptedState::InitCompression;
+                            let (h, auth) = handler.auth_publickey(user, &pubkey).await?;
+                            handler = h;
+
+                            if auth == Auth::Accept {
+                                server_auth_request_success(&mut self.write);
+                                self.state = EncryptedState::InitCompression;
+                            } else {
+                                if let Auth::Reject {
+                                    proceed_with_methods: Some(proceed_with_methods),
+                                } = auth
+                                {
+                                    auth_request.methods = proceed_with_methods;
+                                }
+                                auth_request.partial_success = false;
+                                auth_user.clear();
+                                reject_auth_request(until, &mut self.write, auth_request).await;
+                            }
                         } else {
                             debug!("signature wrong");
                             reject_auth_request(until, &mut self.write, auth_request).await;
@@ -438,7 +453,7 @@ impl Encrypted {
                 } else {
                     auth_user.clear();
                     auth_user.push_str(user);
-                    let (h, auth) = handler.auth_publickey(user, &pubkey).await?;
+                    let (h, auth) = handler.auth_publickey_offered(user, &pubkey).await?;
                     handler = h;
                     match auth {
                         Auth::Accept => {

diff --git a/russh/src/server/mod.rs b/russh/src/server/mod.rs
@@ -285,6 +285,24 @@ pub trait Handler: Sized {
     /// `config.auth_rejection_time`, except if this method takes more
     /// time than that.
     #[allow(unused_variables)]
+    async fn auth_publickey_offered(
+        self,
+        user: &str,
+        public_key: &key::PublicKey,
+    ) -> Result<(Self, Auth), Self::Error> {
+        Ok((
+            self,
+            Auth::Accept,
+        ))
+    }
+
+    /// Check authentication using the "publickey" method. This method
+    /// is called after the signature has been verified and key
+    /// ownership has been confirmed.
+    /// Russh guarantees that rejection happens in constant time
+    /// `config.auth_rejection_time`, except if this method takes more
+    /// time than that.
+    #[allow(unused_variables)]
     async fn auth_publickey(
         self,
         user: &str,