From f4307eb8e154bcd5717a9c46a5dffba2898c14ff Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Mon, 18 Jul 2011 18:10:46 +0000 Subject: [PATCH] Merge r9226 and r9232 (userauth messaging cleanup, fixing spurious "Access denied" from failed GSSAPI). [originally from svn r9233] [r9226 == 0b79fe0bcbfd4113e8ed413fe0c8e0bbd34ea5b2] [r9232 == 363f57396f89c69f50412b7b3a3bdce37454a1d3] --- ssh.c | 64 +++++++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 42 insertions(+), 22 deletions(-) diff --git a/ssh.c b/ssh.c index 017b48bf..fcb8dd96 100644 --- a/ssh.c +++ b/ssh.c @@ -7312,7 +7312,7 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen, AUTH_TYPE_PUBLICKEY_OFFER_LOUD, AUTH_TYPE_PUBLICKEY_OFFER_QUIET, AUTH_TYPE_PASSWORD, - AUTH_TYPE_GSSAPI, + AUTH_TYPE_GSSAPI, /* always QUIET */ AUTH_TYPE_KEYBOARD_INTERACTIVE, AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET } type; @@ -7675,19 +7675,20 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen, /* * We have received an unequivocal Access * Denied. This can translate to a variety of - * messages: - * - * - if we'd just tried "none" authentication, - * it's not worth printing anything at all - * - * - if we'd just tried a public key _offer_, - * the message should be "Server refused our - * key" (or no message at all if the key - * came from Pageant) - * - * - if we'd just tried anything else, the - * message really should be "Access denied". - * + * messages, or no message at all. + * + * For forms of authentication which are attempted + * implicitly, by which I mean without printing + * anything in the window indicating that we're + * trying them, we should never print 'Access + * denied'. + * + * If we do print a message saying that we're + * attempting some kind of authentication, it's OK + * to print a followup message saying it failed - + * but the message may sometimes be more specific + * than simply 'Access denied'. + * * Additionally, if we'd just tried password * authentication, we should break out of this * whole loop so as to go back to the username @@ -7700,14 +7701,31 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen, s->type == AUTH_TYPE_PUBLICKEY_OFFER_QUIET) { if (s->type == AUTH_TYPE_PUBLICKEY_OFFER_LOUD) c_write_str(ssh, "Server refused our key\r\n"); - logevent("Server refused public key"); + logevent("Server refused our key"); + } else if (s->type == AUTH_TYPE_PUBLICKEY) { + /* This _shouldn't_ happen except by a + * protocol bug causing client and server to + * disagree on what is a correct signature. */ + c_write_str(ssh, "Server refused public-key signature" + " despite accepting key!\r\n"); + logevent("Server refused public-key signature" + " despite accepting key!"); } else if (s->type==AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET) { - /* server declined keyboard-interactive; ignore */ - } else { + /* quiet, so no c_write */ + logevent("Server refused keyboard-interactive authentication"); + } else if (s->type==AUTH_TYPE_GSSAPI) { + /* always quiet, so no c_write */ + /* also, the code down in the GSSAPI block has + * already logged this in the Event Log */ + } else if (s->type == AUTH_TYPE_KEYBOARD_INTERACTIVE) { + logevent("Keyboard-interactive authentication failed"); + c_write_str(ssh, "Access denied\r\n"); + } else { + assert(s->type == AUTH_TYPE_PASSWORD); + logevent("Password authentication failed"); c_write_str(ssh, "Access denied\r\n"); - logevent("Access denied"); - if (s->type == AUTH_TYPE_PASSWORD && - ssh->cfg.change_username) { + + if (ssh->cfg.change_username) { /* XXX perhaps we should allow * keyboard-interactive to do this too? */ s->we_are_in = FALSE; @@ -8056,6 +8074,7 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen, sfree(sigdata); ssh2_pkt_send(ssh, s->pktout); + logevent("Sent public key signature"); s->type = AUTH_TYPE_PUBLICKEY; key->alg->freekey(key->data); } @@ -8107,6 +8126,7 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen, ssh2_pkt_addstring(s->pktout, s->username); ssh2_pkt_addstring(s->pktout, "ssh-connection"); ssh2_pkt_addstring(s->pktout, "gssapi-with-mic"); + logevent("Attempting GSSAPI authentication"); /* add mechanism info */ s->gsslib->indicate_mech(s->gsslib, &s->gss_buf); @@ -8270,6 +8290,8 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen, ssh2_pkt_addstring(s->pktout, ""); /* lang */ ssh2_pkt_addstring(s->pktout, ""); /* submethods */ ssh2_pkt_send(ssh, s->pktout); + + logevent("Attempting keyboard-interactive authentication"); crWaitUntilV(pktin); if (pktin->type != SSH2_MSG_USERAUTH_INFO_REQUEST) { @@ -8278,8 +8300,6 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen, * user without actually issuing any prompts). * Give up on it entirely. */ s->gotit = TRUE; - if (pktin->type == SSH2_MSG_USERAUTH_FAILURE) - logevent("Keyboard-interactive authentication refused"); s->type = AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET; s->kbd_inter_refused = TRUE; /* don't try it again */ continue; -- 2.45.2