libnetconf2 icon indicating copy to clipboard operation
libnetconf2 copied to clipboard
verified publisher icon CESNET

Interactive auth custom implementation

Open Demiu opened this issue 2 years ago • 3 comments

The callback given to nc_server_ssh_set_interactive_auth_clb takes a ssh_message, so the prompt for interactive auth can be sent with ssh_message_auth_interactive_request.

However, there is no way to actually either send the messages and get the reply (ssh_message_get) or to read the reply (ssh_userauth_kbdint_getnanswers). Returning control to libnetconf will receive the reply, but there is no way to signal "this is neither a success nor a failure", so either the auth attempts couther will go up, or the session will be preemptively accepted.

The internal implementation of pam interactive auth (specifically the pam conversation callback - nc_pam_conv_clb) "cheats" by:

  • reading the ssh_session from the nc_session, which is not possible for 3rd party: libssh_session = clb_data->session->ti.libssh.session;
  • then sending the data and receiving the response by itself: reply = ssh_message_get(libssh_session); ssh_userauth_kbdint_getnanswers(libssh_session);

Right now, I don't think it is possible to actually implement interactive auth via the provided callback functionality.

Demiu avatar Aug 18 '23 11:08 Demiu

It seems you are right, the callbacks were all implemented with the same parameters. However, it will not be changed now because it would be a NBC change requiring a new SO version of the library, sorry. And since we are already working on a new version, we will include this change there.

michalvasko avatar Aug 18 '23 12:08 michalvasko

That's understandable, but couldn't just a new function be introduced and the current nc_server_ssh_set_interactive_auth_clb be marked deprecated?

Demiu avatar Aug 22 '23 08:08 Demiu

Okay, I suppose. Please test the patch I prepared whether it works as expected and you can authenticate clients, thanks.

michalvasko avatar Aug 22 '23 09:08 michalvasko