From d4f5a0e6ab09ce96792a9ba89c44a94387e883b4 Mon Sep 17 00:00:00 2001 From: Jon Simons Date: Sat, 2 Nov 2013 01:34:46 -0700 Subject: server: fix pubkey reply for key probes Per RFC 4252, it is required to send back only one of either SSH_MSG_USERAUTH_PK_OK or SSH_MSG_USERAUTH_FAILURE for public key probes. Update the handling of 'auth_pubkey_function' to send back PK_OK instead of SSH_MSG_USERAUTH_SUCCESS for the case that the state of the message at hand is SSH_PUBLICKEY_STATE_NONE. With this change, it is now possible to process an initial key probe and then subsequent signature validation using the server callbacks. Reviewed-by: Andreas Schneider --- src/messages.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/messages.c b/src/messages.c index 73f39974..c8e0e094 100644 --- a/src/messages.c +++ b/src/messages.c @@ -120,10 +120,18 @@ static int ssh_execute_server_request(ssh_session session, ssh_message msg) msg->auth_request.username, msg->auth_request.pubkey, msg->auth_request.signature_state, session->server_callbacks->userdata); - if (rc == SSH_AUTH_SUCCESS || rc == SSH_AUTH_PARTIAL){ + if (msg->auth_request.signature_state != SSH_PUBLICKEY_STATE_NONE) { + if (rc == SSH_AUTH_SUCCESS || rc == SSH_AUTH_PARTIAL) { ssh_message_auth_reply_success(msg, rc == SSH_AUTH_PARTIAL); + } else { + ssh_message_reply_default(msg); + } } else { + if (rc == SSH_AUTH_SUCCESS) { + ssh_message_auth_reply_pk_ok_simple(msg); + } else { ssh_message_reply_default(msg); + } } return SSH_OK; -- cgit v1.2.3