server: fix pubkey reply for key probes
Per RFC 4252, it is required to send back only one of either SSH_MSG_USERAUTH_PK_OK or SSH_MSG_USERAUTH_FAILURE for public key probes. Update the handling of 'auth_pubkey_function' to send back PK_OK instead of SSH_MSG_USERAUTH_SUCCESS for the case that the state of the message at hand is SSH_PUBLICKEY_STATE_NONE. With this change, it is now possible to process an initial key probe and then subsequent signature validation using the server callbacks. Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Этот коммит содержится в:
родитель
ce1d73e0f0
Коммит
d4f5a0e6ab
@ -120,11 +120,19 @@ static int ssh_execute_server_request(ssh_session session, ssh_message msg)
|
||||
msg->auth_request.username, msg->auth_request.pubkey,
|
||||
msg->auth_request.signature_state,
|
||||
session->server_callbacks->userdata);
|
||||
if (msg->auth_request.signature_state != SSH_PUBLICKEY_STATE_NONE) {
|
||||
if (rc == SSH_AUTH_SUCCESS || rc == SSH_AUTH_PARTIAL) {
|
||||
ssh_message_auth_reply_success(msg, rc == SSH_AUTH_PARTIAL);
|
||||
} else {
|
||||
ssh_message_reply_default(msg);
|
||||
}
|
||||
} else {
|
||||
if (rc == SSH_AUTH_SUCCESS) {
|
||||
ssh_message_auth_reply_pk_ok_simple(msg);
|
||||
} else {
|
||||
ssh_message_reply_default(msg);
|
||||
}
|
||||
}
|
||||
|
||||
return SSH_OK;
|
||||
} else if (msg->auth_request.method == SSH_AUTH_METHOD_NONE &&
|
||||
|
Загрузка…
Ссылка в новой задаче
Block a user