alexcrichton/ssh2-rs

Dual Authentication Not Supported - AuthenticationMethods publickey,password

Open

#346 aberto em 29 de jan. de 2025

Ver no GitHub
 (0 comments) (0 reactions) (0 assignees)Rust (157 forks)github user discovery
enhancementhelp wanted

Métricas do repositório

Stars
 (558 stars)
Métricas de merge de PR
 (Mesclagem média 2d 22h) (2 fundiu PRs em 30d)

Description

The ssh2 crate currently does not support SSH authentication when the server enforces both public key and password authentication in the same session using:

AuthenticationMethods publickey,password

This configuration requires the client to first authenticate with a public key and then provide a password before authentication is considered successful. However, ssh2-rs only supports using one method at a time and does not allow chaining authentication methods in a single session.

Steps to Reproduce:

  1. Configure the SSH server (/etc/ssh/sshd_config) with:
PasswordAuthentication yes
PubkeyAuthentication yes
AuthenticationMethods publickey,password

Restart the SSH service:

sudo systemctl restart ssh
  1. Attempt to authenticate using ssh2-rs with both a key and a password:
let tcp = TcpStream::connect("your.server.com:22")?;
let mut sess = Session::new().unwrap();
sess.set_tcp_stream(tcp);
sess.handshake()?;

// Public key authentication
sess.userauth_pubkey_file("your-user", None, Path::new("/path/to/private_key"), None)?; // fails here

// Password authentication
sess.userauth_password("your-user", "your-password")?;

assert!(sess.authenticated());
  1. The code fails with the error:
{ code: Session(-19), msg: "Invalid signature for supplied public key, or bad username/public key combination" }
  1. Running SSH manually on the same machine works fine:
ssh -i /path/to/private_key user@example.com

Expected Behavior:

The ssh2 crate should allow chaining authentication methods in the same session when the server enforces publickey,password.

Actual Behavior:

  • The first authentication method succeeds (userauth_pubkey_file()), but userauth_password() fails.
  • If userauth_password() is called first, userauth_pubkey_file() is never executed.
  • The crate does not provide a way to handle publickey,password authentication.

Environment:

  • ssh2 crate version: 0.10
  • Rust version: rustc 1.82.0
  • OS: Ubuntu 24.04 LTS
  • SSH Server: OpenSSH_8.9p1

Additional Context:

  • The issue is not related to key format (PEM is used and works with manual SSH).
  • The issue only occurs when publickey,password is enforced by the SSH server.

Guia do colaborador