Any thoughts on this? I don't mind this problem too much, since the
workaround is quite
simple (just ask the user to reconnect), but hey, I'm a perfectionist ;).
On Tue, Aug 9, 2016 at 1:04 PM, Keno Fischer <keno at juliacomputing.com>
wrote:>
> Hi folks,
>
> I've been playing with SSH and was a little surprised by the
OpenSSH's
> client handling of partial
> success. In particular, I tried writing a server that does the following:
>
> - If none of the public keys offered by the client succeed, fall back
> to keyboard-interactive
> - During that session, we figure out if the user should have access to
> the machine and if
> so, authorize their key for future accesses.
>
> Now, I was expecting that returning a partial success message from the
> second step would
> have the client retry publickey authentication (and since the server
> authorized the user's key
> that should now succeed). However, this doesn't happen, since the
> client has disabled all
> further publickey authentication.
>
> I was able to fix this with the following patch to input_userauth_failure:
>
> if (partial != 0) {
> logit("Authenticated with partial success.");
> /* reset state */
> pubkey_cleanup(authctxt);
> pubkey_prepare(authctxt);
> + authmethod_lookup("publickey")->enabled =
&options.pubkey_authentication;
> }
>
> Is there a reason that something equivalent isn't there already, or is
> that simply an oversight?
>
> Thanks,
> Keno