Fix partial success not passing when using agent authentication #1215
Conversation
|
I think for behavior like this, you're better off using custom authentication handling since "partial success" could mean different things to different servers. |
|
Partial success is defined pretty clearly in RFC4252, and I believe this is how most clients handle it. Implementing a custom authHandler also won't help, because it's directly calling the tryNextAgentKey function |
|
@mscdex I'm trying to replicate the same behavior as openssh client in my vscode extension and I'm already using a custom auth handler |
| const key = curAuth.agentCtx.currentKey(); | ||
| proto.authPK(curAuth.username, key, (buf, cb) => { | ||
| curAuth.agentCtx.sign(key, buf, {}, (err, signed) => { | ||
| if (err) { | ||
| err.level = 'agent'; | ||
| this.emit('error', err); | ||
| } else { | ||
| return cb(signed); | ||
| } | ||
|
|
||
| return tryNextAgentKey(); | ||
| }); | ||
| }); |
There was a problem hiding this comment.
@lucasvbeek is this actually needed? I'm cherry picking this PR and noticed that with this USERAUTH_FAILURE gets called again, just checking for partialSuccess seems enough and I can connect successfully.
if (!partialSuccess) {
debug && debug(`Client: Agent key #${pos + 1} failed`);
return tryNextAgentKey();
}
There was a problem hiding this comment.
Looks like it should be fine with just the check, I copied the full block from USERAUTH_PK_OK to make sure I didn't miss anything. Thanks for checking
Currently the partialSuccess variable is ignored when using agent authentication, and the client skips to the next agent key. This causes connections to fail when using an agent key + a second authentication method (like 2FA using keyboard-interactive).
With this PR, the client skips to the next authentication method instead of the next agent key when receiving a partial success.