Should partial success reset ->enabled

Keno Fischer keno at
Fri Aug 19 04:10:07 AEST 2016

Any thoughts on this? I don't mind this problem too much, since the
workaround is quite
simple (just ask the user to reconnect), but hey, I'm a perfectionist ;).

On Tue, Aug 9, 2016 at 1:04 PM, Keno Fischer <keno at> wrote:
> Hi folks,
> I've been playing with SSH and was a little surprised by the OpenSSH's
> client handling of partial
> success. In particular, I tried writing a server that does the following:
> - If none of the public keys offered by the client succeed, fall back
> to keyboard-interactive
> - During that session, we figure out if the user should have access to
> the machine and if
>   so, authorize their key for future accesses.
> Now, I was expecting that returning a partial success message from the
> second step would
> have the client retry publickey authentication (and since the server
> authorized the user's key
> that should now succeed). However, this doesn't happen, since the
> client has disabled all
> further publickey authentication.
> I was able to fix this with the following patch to input_userauth_failure:
>     if (partial != 0) {
>         logit("Authenticated with partial success.");
>         /* reset state */
>         pubkey_cleanup(authctxt);
>         pubkey_prepare(authctxt);
> +     authmethod_lookup("publickey")->enabled = &options.pubkey_authentication;
>     }
> Is there a reason that something equivalent isn't there already, or is
> that simply an oversight?
> Thanks,
> Keno

More information about the openssh-unix-dev mailing list