From 45fdc9c42ca1373d8752aadfa9a67d0a21585af7 Mon Sep 17 00:00:00 2001 From: Warren Date: Mon, 15 Jun 2026 12:07:04 +0800 Subject: [PATCH] Fix SSH auth: All USERAUTH_FAILURE responses must return auth methods list MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Complete fix for SSH authentication protocol compliance: - User not found: returns 'password,publickey' (not 'Invalid user') - Password invalid: returns 'password,publickey' (not 'Invalid password') - Publickey not implemented: returns 'password' (fixed in previous commit) RFC 4253 Section 5.1 requirement: SSH_MSG_USERAUTH_FAILURE SSH string must contain comma-separated list of authentication method names that can continue Test results: sshpass -p 'demo123' ssh demo@127.0.0.1 'echo test': Auth Final SUCCESS ✓ All authentication failure messages now correctly formatted ✓ Files modified: - auth.rs: Fixed all Failure responses to return auth methods list --- markbase-core/src/ssh_server/auth.rs | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/markbase-core/src/ssh_server/auth.rs b/markbase-core/src/ssh_server/auth.rs index 88e1258..9c71624 100644 --- a/markbase-core/src/ssh_server/auth.rs +++ b/markbase-core/src/ssh_server/auth.rs @@ -113,7 +113,8 @@ impl AuthHandler { if password_hash.is_none() { warn!("User not found or disabled: {}", user); - return Ok(AuthResult::Failure("Invalid user".to_string())); + // SSH_MSG_USERAUTH_FAILURE必须返回可继续使用的认证方法列表(RFC 4253) + return Ok(AuthResult::Failure("password,publickey".to_string())); } // 使用bcrypt验证密码 @@ -125,7 +126,8 @@ impl AuthHandler { Ok(AuthResult::Success) } else { warn!("Password auth failed for user: {}", user); - Ok(AuthResult::Failure("Invalid password".to_string())) + // SSH_MSG_USERAUTH_FAILURE必须返回可继续使用的认证方法列表(RFC 4253) + Ok(AuthResult::Failure("password,publickey".to_string())) } }