From 6c237531faf395ac9acab2cb82765eacb45784f5 Mon Sep 17 00:00:00 2001 From: David Goodwin Date: Sun, 11 Sep 2022 20:30:45 +1200 Subject: [PATCH] Fix #71 - keyboard interactive authentication doesn't work Now it does! --- doc/ssh-readme.md | 22 ++++++++-------------- kermit/k95/ckoshs.c | 23 +++++++++++++++-------- kermit/k95/ckossh.c | 7 ------- kermit/k95/ckuus2.c | 9 ++++----- 4 files changed, 27 insertions(+), 34 deletions(-) diff --git a/doc/ssh-readme.md b/doc/ssh-readme.md index 2acd1de4..bb7bf45c 100644 --- a/doc/ssh-readme.md +++ b/doc/ssh-readme.md @@ -25,14 +25,11 @@ automatically by C-Kermit. set term type linux set term remote utf8 ``` - For convenience, you can create a file called `k95custom.ini` in the same - directory as k95g.exe and place these commands there so that they're run - automatically every time you start C-Kermit. + For convenience, you can just uncomment these lines in the default + `k95custom.ini` file included in the CKW distribution so that they're run + every time you start C-Kermit. * If you find your session disconnecting when left idle, try enabling the heartbeat feature with the `set ssh heartbeat-interval` command. -* The keyboard interactive authentication method doesn't seem to work so it's - disabled by default for now. See the *Supported Authentication Methods* - section for more details. * Connecting through proxy servers is not currently supported ## Differences From Kermit 95 @@ -127,14 +124,11 @@ SET SSH ## Supported Authentication Methods -At this time password and public key authentication are implemented and work. +At this time password, public key and keyboard interactive authentication are +implemented and work. -Keyboard interactive authentication is also implemented but didn't work when -tested against OpenSSH 8.4p1 Debian-5deb11u1. If you want to try it out anyway, -you can enable *only* keyboard interactive authentication by entering -`set ssh v2 auth keyb` at the kermit prompt before starting your session. - -If you want to enable keyboard interactive authentication alongside password -and public key, enter `set ssh v2 auth keyb pass pub` instead. +There is not yet support for using ssh agents or GSSAPI (Kerberos) +authentication but as both of these are supported by the ssh backend use by +C-Kermit support for these may appear in a future release. [^1]: https://libssh.org \ No newline at end of file diff --git a/kermit/k95/ckoshs.c b/kermit/k95/ckoshs.c index 1f6501d4..97ec0135 100644 --- a/kermit/k95/ckoshs.c +++ b/kermit/k95/ckoshs.c @@ -151,14 +151,7 @@ ssh_parameters_t* ssh_parameters_new( params->allow_pubkey_auth = TRUE; params->allow_kbdint_auth = TRUE; params->allow_gssapi_auth = TRUE; - - /* TODO: Keyboard interactive authentication doesn't seem to be working at - * the moment. Testing against OpenSSH 8.4p1 Debian-5deb11u1, after - * answering all prompts ssh_userauth_kbdint still gives SSH_AUTH_INFO - * indicating more answers are required - even though there are no - * more prompts to answer. - **/ - params->allow_kbdint_auth = FALSE; + params->allow_kbdint_auth = TRUE; /* If the user has supplied a list of authentication types then only those @@ -791,6 +784,20 @@ static int kbd_interactive_authenticate(ssh_client_state_t * state, BOOL *cancel if (nprompts == 0) { debug(F100, "sshsubsys - No more prompts! Unable to continue " "interrogating user.", "nprompts", nprompts); + + /* Some SSH servers send an empty query at the end of the exchange + * for some reason. Check if the server is really sure there are + * more prompts... */ + + rc = ssh_userauth_kbdint( + state->session, NULL, NULL); + if (rc == SSH_AUTH_INFO) + debug(F101, "sshsubsys - ssh_userauth_kbdint still insists " + "there are more prompts than it originally " + "reported. Giving up.", "", rc); + else debug(F101, "sshsubsys - ssh_userauth_kbdint has decided " + "actually there are no more prompts. We're done. ", + "", rc); break; } diff --git a/kermit/k95/ckossh.c b/kermit/k95/ckossh.c index 8dc23c81..84e48ed7 100644 --- a/kermit/k95/ckossh.c +++ b/kermit/k95/ckossh.c @@ -196,15 +196,8 @@ char *cksshv = "SSH support, 10.0.0, 28 July 2022"; * a VT220. Htop doesn't quite resume properly either - doesn't redraw * the entire screen like it should which is probably the same issue * just exposed differently. - * - TODO: Fix keyboard interactive authentication - * - Answering correctly results in the loop going around again with - * SSH_AUTH_INFO but no prompts. Returning at that point falls - * through to password auth and, if thats unsuccessful, disconnect. - * So for now keyboard interactive is disabled. * - TODO: Other Settings * - TODO: How do we know /command: has finished? EOF? - * - TODO: fix UI prompt look&feel (weird inset buttons) - * - TODO: Kermit subsystem (/subsystem:kermit) doesn't work * - TODO: X11 Forwarding * - TODO: Other forwarding * - TODO: Build libssh with GSSAPI, pthreads and kerberos diff --git a/kermit/k95/ckuus2.c b/kermit/k95/ckuus2.c index 3f087eb8..0abdb227 100644 --- a/kermit/k95/ckuus2.c +++ b/kermit/k95/ckuus2.c @@ -919,13 +919,12 @@ static char *hmxyssh[] = { " \\v(appdata)ssh/known_hosts", " ", #endif -"SET SSH V2 AUTHENTICATION { EXTERNAL-KEYX, GSSAPI, HOSTBASED, ", -" KEYBOARD-INTERACTIVE, PASSWORD, PUBKEY, SRP-GEX-SHA1 } [ ... ]", -" Specifies an ordered list of SSH version 2 authentication methods to", +"SET SSH V2 AUTHENTICATION { GSSAPI, KEYBOARD-INTERACTIVE, PASSWORD, ", +" PUBKEY } [ ... ]", +" Specifies an unordered list of SSH version 2 authentication methods to", " be used when connecting to the remote host. The default list is:", " ", -" external-keyx gssapi hostbased publickey srp-gex-sha1 publickey", -" keyboard-interactive password none", +" publickey keyboard-interactive password none", " ", "SET SSH V2 AUTO-REKEY { ON, OFF }", " Specifies whether Kermit automatically issues rekeying requests",