Should partial success reset ->enabled

Keno Fischer keno at juliacomputing.com
Wed Aug 10 03:04:11 AEST 2016


Hi folks,

I've been playing with SSH and was a little surprised by the OpenSSH's
client handling of partial
success. In particular, I tried writing a server that does the following:

- If none of the public keys offered by the client succeed, fall back
to keyboard-interactive
- During that session, we figure out if the user should have access to
the machine and if
  so, authorize their key for future accesses.

Now, I was expecting that returning a partial success message from the
second step would
have the client retry publickey authentication (and since the server
authorized the user's key
that should now succeed). However, this doesn't happen, since the
client has disabled all
further publickey authentication.

I was able to fix this with the following patch to input_userauth_failure:

    if (partial != 0) {
        logit("Authenticated with partial success.");
        /* reset state */
        pubkey_cleanup(authctxt);
        pubkey_prepare(authctxt);
+     authmethod_lookup("publickey")->enabled = &options.pubkey_authentication;
    }

Is there a reason that something equivalent isn't there already, or is
that simply an oversight?

Thanks,
Keno


More information about the openssh-unix-dev mailing list