Fix davidrg#71 - keyboard interactive authentication doesn't work

Now it does!
jmalak · Sep 11, 2022 · 6c23753 · 6c23753
1 parent d53628c
commit 6c23753
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 34 deletions.
diff --git a/doc/ssh-readme.md b/doc/ssh-readme.md
@@ -25,14 +25,11 @@ automatically by C-Kermit.
   set term type linux
   set term remote utf8
   ```
-  For convenience, you can create a file called `k95custom.ini` in the same
-  directory as k95g.exe and place these commands there so that they're run
-  automatically every time you start C-Kermit.
+  For convenience, you can just uncomment these lines in the default
+  `k95custom.ini` file included in the CKW distribution so that they're run 
+  every time you start C-Kermit.
 * If you find your session disconnecting when left idle, try enabling the
   heartbeat feature with the `set ssh heartbeat-interval` command.
-* The keyboard interactive authentication method doesn't seem to work so it's 
-  disabled by default for now. See the *Supported Authentication Methods*
-  section for more details.
 * Connecting through proxy servers is not currently supported
 
 ## Differences From Kermit 95
@@ -127,14 +124,11 @@ SET SSH
 
 ## Supported Authentication Methods
 
-At this time password and public key authentication are implemented and work.
+At this time password, public key and keyboard interactive authentication are 
+implemented and work.
 
-Keyboard interactive authentication is also implemented but didn't work when
-tested against OpenSSH 8.4p1 Debian-5deb11u1. If you want to try it out anyway,
-you can enable *only* keyboard interactive authentication by entering
-`set ssh v2 auth keyb` at the kermit prompt before starting your session.
-
-If you want to enable keyboard interactive authentication alongside password
-and public key, enter `set ssh v2 auth keyb pass pub` instead.
+There is not yet support for using ssh agents or GSSAPI (Kerberos)
+authentication but as both of these are supported by the ssh backend use by
+C-Kermit support for these may appear in a future release.
 
 [^1]: https://libssh.org
diff --git a/kermit/k95/ckoshs.c b/kermit/k95/ckoshs.c
@@ -151,14 +151,7 @@ ssh_parameters_t* ssh_parameters_new(
     params->allow_pubkey_auth = TRUE;
     params->allow_kbdint_auth = TRUE;
     params->allow_gssapi_auth = TRUE;
-
-    /* TODO: Keyboard interactive authentication doesn't seem to be working at
-     *       the moment. Testing against OpenSSH 8.4p1 Debian-5deb11u1, after
-     *       answering all prompts ssh_userauth_kbdint still gives SSH_AUTH_INFO
-     *       indicating more answers are required - even though there are no
-     *       more prompts to answer.
-     **/
-    params->allow_kbdint_auth = FALSE;
+    params->allow_kbdint_auth = TRUE;
 
 
     /* If the user has supplied a list of authentication types then only those
@@ -791,6 +784,20 @@ static int kbd_interactive_authenticate(ssh_client_state_t * state, BOOL *cancel
         if (nprompts == 0) {
             debug(F100, "sshsubsys - No more prompts! Unable to continue "
                         "interrogating user.", "nprompts", nprompts);
+
+            /* Some SSH servers send an empty query at the end of the exchange
+             * for some reason. Check if the server is really sure there are
+             * more prompts... */
+
+            rc = ssh_userauth_kbdint(
+                    state->session, NULL, NULL);
+            if (rc == SSH_AUTH_INFO)
+                debug(F101, "sshsubsys - ssh_userauth_kbdint still insists "
+                            "there are more prompts than it originally "
+                            "reported. Giving up.", "", rc);
+            else debug(F101, "sshsubsys - ssh_userauth_kbdint has decided "
+                             "actually there are no more prompts. We're done. ",
+                             "", rc);
             break;
         }
 

diff --git a/kermit/k95/ckossh.c b/kermit/k95/ckossh.c
@@ -196,15 +196,8 @@ char *cksshv = "SSH support, 10.0.0,  28 July 2022";
  *            a VT220. Htop doesn't quite resume properly either - doesn't redraw
  *            the entire screen like it should which is probably the same issue
  *            just exposed differently.
- *  - TODO: Fix keyboard interactive authentication
- *          - Answering correctly results in the loop going around again with
- *            SSH_AUTH_INFO but no prompts. Returning at that point falls
- *            through to password auth and, if thats unsuccessful, disconnect.
- *            So for now keyboard interactive is disabled.
  *  - TODO: Other Settings
  *  - TODO: How do we know /command: has finished? EOF?
- *  - TODO: fix UI prompt look&feel (weird inset buttons)
- *  - TODO: Kermit subsystem (/subsystem:kermit) doesn't work
  *  - TODO: X11 Forwarding
  *  - TODO: Other forwarding
  *  - TODO: Build libssh with GSSAPI, pthreads and kerberos

diff --git a/kermit/k95/ckuus2.c b/kermit/k95/ckuus2.c
@@ -919,13 +919,12 @@ static char *hmxyssh[] = {
 "    \\v(appdata)ssh/known_hosts",
 " ",
 #endif
-"SET SSH V2 AUTHENTICATION { EXTERNAL-KEYX, GSSAPI, HOSTBASED, ",
-"    KEYBOARD-INTERACTIVE, PASSWORD, PUBKEY, SRP-GEX-SHA1 } [ ... ]",
-"  Specifies an ordered list of SSH version 2 authentication methods to",
+"SET SSH V2 AUTHENTICATION { GSSAPI,  KEYBOARD-INTERACTIVE, PASSWORD, ",
+"    PUBKEY } [ ... ]",
+"  Specifies an unordered list of SSH version 2 authentication methods to",
 "  be used when connecting to the remote host.  The default list is:",
 " ",
-"    external-keyx gssapi hostbased publickey srp-gex-sha1 publickey",
-"    keyboard-interactive password none",
+"    publickey keyboard-interactive password none",
 " ",
 "SET SSH V2 AUTO-REKEY { ON, OFF }",
 "  Specifies whether Kermit automatically issues rekeying requests",