-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: x/crypto/ssh: dynamic auth method selection in ServerConfig #64974
Comments
As background for @rolandshoemaker @FiloSottile et al, this is one of the patches we're carrying in our x/crypto/ssh fork and we're trying to unfork. We're flexible on the API naming/docs/promises but we'd need something dynamic here. |
cc @drakkan @golang/security |
@drakkan thanks for the CL link! The other half, which is a little unconventional, is to return a custom auth method name (one that doesn't map to existing callbacks) as a hint to the client. Ideally, I'd like the latter. It handles the "please authenticate using this URL in your browser" flow in our setup. |
It would be helpful if you could share your thoughts on linked CL, does it simplify or complicate your application code compared to the
This weekend I'll take a more in-depth look at this proposal. It seems very useful!
At first glance I also prefer a separate proposal for sending dynamic banner messages to clients from authentication callbacks. |
Left some comments on the CL, but yes: |
Change https://go.dev/cl/516355 mentions this issue: |
Correct, I'll close this proposal in favor of the other two. |
Add support for sending back partial success to the client while handling authentication in the server. This is implemented by a special error that can be returned by any of the authentication methods, which contains the authentication methods to offer next. This patch is based on CL 399075 with some minor changes and the addition of test cases. Fixes golang/go#17889 Fixes golang/go#61447 Fixes golang/go#64974 Change-Id: I05c8f913bb407d22c2e41c4cbe965e36ab4739b0
Add support for sending back partial success to the client while handling authentication in the server. This is implemented by a special error that can be returned by any of the authentication methods, which contains the authentication methods to offer next. This patch is based on CL 399075 with some minor changes and the addition of test cases. Fixes golang/go#17889 Fixes golang/go#61447 Fixes golang/go#64974 Change-Id: I05c8f913bb407d22c2e41c4cbe965e36ab4739b0
Add support for sending back partial success to the client while handling authentication in the server. This is implemented by a special error that can be returned by any of the authentication methods, which contains the authentication methods to offer next. This patch is based on CL 399075 with some minor changes and the addition of test cases. Fixes golang/go#17889 Fixes golang/go#61447 Fixes golang/go#64974 Co-authored-by: Peter Verraedt <[email protected]> Change-Id: I05c8f913bb407d22c2e41c4cbe965e36ab4739b0 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/516355 Reviewed-by: Andrew Lytvynov <[email protected]> Reviewed-by: Than McIntosh <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]>
Proposal Details
Today, when an auth method fails, server returns a
SSH_MSG_USERAUTH_FAILURE
with a set of possible methods that the client can attempt next. This set of methods is based on what auth callbacks are set in theServerConfig
.The proposal is to add a new callback that allows for customizing this set of auth methods per connection, based on previous errors:
An example use case: using
NoClientAuthCallback
to learn some information about the client and then selectively enable a subset of auth methods that could succeed for them.Another use case: when using an out-of-band authentication mechanism (such as an authenticated tunnel that carries the SSH connection),
NextAuthMethodCallback
can return a custom auth method name to the client, as an indication of where authentication failed.cc @bradfitz @maisem
The text was updated successfully, but these errors were encountered: