admin/markbase
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Fix SSH auth: All USERAUTH_FAILURE responses must return auth methods list
Some checks failed
Test / test (push) Has been cancelled
Details
Test / build (push) Has been cancelled
Details

Browse Source 
Complete fix for SSH authentication protocol compliance:
- User not found: returns 'password,publickey' (not 'Invalid user')
- Password invalid: returns 'password,publickey' (not 'Invalid password')
- Publickey not implemented: returns 'password' (fixed in previous commit)

RFC 4253 Section 5.1 requirement:
SSH_MSG_USERAUTH_FAILURE SSH string must contain comma-separated
list of authentication method names that can continue

Test results:
sshpass -p 'demo123' ssh demo@127.0.0.1 'echo test': Auth Final SUCCESS ✓
All authentication failure messages now correctly formatted ✓

Files modified:
- auth.rs: Fixed all Failure responses to return auth methods list
This commit is contained in:
Warren
2026-06-15 12:07:04 +08:00
parent 92669ca0e2
commit 45fdc9c42c
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
markbase-core/src/ssh_server/auth.rs
View File

@@ -113,7 +113,8 @@ impl AuthHandler {
if password_hash.is_none() { if password_hash.is_none() {
warn!("User not found or disabled: {}", user); warn!("User not found or disabled: {}", user);
return Ok(AuthResult::Failure("Invalid user".to_string())); // SSH_MSG_USERAUTH_FAILURE必须返回可继续使用的认证方法列表RFC 4253
return Ok(AuthResult::Failure("password,publickey".to_string()));
} }
// 使用bcrypt验证密码 // 使用bcrypt验证密码
@@ -125,7 +126,8 @@ impl AuthHandler {
Ok(AuthResult::Success) Ok(AuthResult::Success)
} else { } else {
warn!("Password auth failed for user: {}", user); warn!("Password auth failed for user: {}", user);
Ok(AuthResult::Failure("Invalid password".to_string())) // SSH_MSG_USERAUTH_FAILURE必须返回可继续使用的认证方法列表RFC 4253
Ok(AuthResult::Failure("password,publickey".to_string()))
} }
} }