pro.webssh.net icon indicating copy to clipboard operation
pro.webssh.net copied to clipboard
verified publisher icon isontheline

Prompt for password if password not stored, even when key is also used

Open trajanmcgill opened this issue 9 months ago • 4 comments

Bug description

I notice the latest iOS release has this text:

A critical connection issue has been resolved in this release.

Previously on 29.0 release, users were unable to connect if their password was not stored within WebSSH and connection was using password instead of private key.

I believe some variant of this issue may remain. If the server is set to require both key and password, WebSSH is only successfully be able to log in if the password is stored within WebSSH. (Only tested this on the iOS version.)

Steps to reproduce

  1. Set server's sshd config to AuthenticationMethods publickey,password
  2. Store both a working private key and password in WebSSH.
  3. Attempt to connect to server. Result = success.
  4. Remove the password from WebSSH.
  5. Attempt to connect to server. Expected: User is prompted for password. Actual: "Connection Failed" with Connection_Established_But_Can_Not_Open_Session.

trajanmcgill avatar Mar 22 '25 04:03 trajanmcgill

Thank you for your feedback! 🙏 Arnaud (@isontheline) will respond within a few hours. In the meantime, please feel free to add any additional information that may help us resolve or improve WebSSH.

github-actions[bot] avatar Mar 22 '25 04:03 github-actions[bot]

Hey @trajanmcgill 👋

This is the behavior since years : WebSSH only use pkey+password authentication method if all three fields are stored : user+pkey+password

Just because I don't know if user has set or not this behavior on the server.

WebSSH needs an improvement about this auth method

isontheline avatar Mar 22 '25 11:03 isontheline

Thanks for the response! Doesn't the server prompt for a password in this case? Standard SSH, from the command line, also doesn't know what the server-side requirements are until after connecting, and then upon finding out the server requires a password, asks the user for one. And (if I read the latest release notes correctly) I believe WebSSH already handles this case where there is no key involved, where the server requires a password but not a key, and the user has not stored a password in WebSSH. The user is then prompted to enter a password, right? That seems very similar to this case, just without the key involved. Is it possible that we could see this enhancement made to WebSSH? I know password+key is not the most common authentication setup, but there are certain scenarios where this is useful.

trajanmcgill avatar Mar 22 '25 14:03 trajanmcgill

You’re right for the OpenSSH client implementation but for WebSSH my own implementation doesn’t iterate over multiple remaining auth methods 😟

A lot of code rewriting is needed, right now I prefer to state that WebSSH doesn’t support this behavior if credentials are not stored.

Hope I can work on it asap

isontheline avatar Mar 22 '25 15:03 isontheline