Limit offered authentication methods

Do not offer non-enabled authentication methods to the client. This avoids unnecessary password prompts when password auth is disabled. Fixes: ContainerSSH/ContainerSSH#579
ContainerSSH · May 5, 2024 · 3858d33 · 3858d33
1 parent 1159c53
commit 3858d33
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 5 deletions.
diff --git a/internal/authintegration/handler.go b/internal/authintegration/handler.go
@@ -89,6 +89,16 @@ func (h *handler) OnNetworkConnection(meta metadata.ConnectionMetadata) (
 		authorizationProvider:            h.authorizationProvider,
 	}
 
+	if h.passwordAuthenticator != nil {
+		meta.AuthenticationMethods[metadata.AuthMethodPassword] = true
+	}
+	if h.publicKeyAuthenticator != nil {
+		meta.AuthenticationMethods[metadata.AuthMethodPubKey] = true
+	}
+	if h.keyboardInteractiveAuthenticator != nil {
+		meta.AuthenticationMethods[metadata.AuthMethodKeyboardInteractive] = true
+	}
+
 	if h.authorizationProvider != nil {
 		// We inject the authz handler before the normal authentication handler in the chain as we need the authenticated metadata the handler returns.
 		// Authentications request will first hit the authz handler which will pass it through to the authHandler, once it returns we can perform authorization.

diff --git a/internal/sshserver/serverImpl.go b/internal/sshserver/serverImpl.go
@@ -435,6 +435,11 @@ func (s *serverImpl) createKeyboardInteractiveCallback(
 	handlerNetworkConnection *networkConnectionWrapper,
 	logger log.Logger,
 ) func(conn ssh.ConnMetadata, challenge ssh.KeyboardInteractiveChallenge) (*ssh.Permissions, error) {
+	ok, val := connectionMetadata.AuthenticationMethods[metadata.AuthMethodKeyboardInteractive]
+	if !ok || !val {
+		return nil
+	}
+
 	keyboardInteractiveHandler := s.createKeyboardInteractiveHandler(
 		connectionMetadata,
 		handlerNetworkConnection,
@@ -474,6 +479,11 @@ func (s *serverImpl) createPubKeyCallback(
 	handlerNetworkConnection *networkConnectionWrapper,
 	logger log.Logger,
 ) func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
+	ok, val := meta.AuthenticationMethods[metadata.AuthMethodPubKey]
+	if !ok || !val {
+		return nil
+	}
+
 	pubKeyHandler := s.createPubKeyAuthenticator(meta, handlerNetworkConnection, logger)
 	pubkeyCallback := func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
 		permissions, authenticatedMetadata, err := pubKeyHandler(conn, key)
@@ -506,6 +516,11 @@ func (s *serverImpl) createPasswordCallback(
 	handlerNetworkConnection *networkConnectionWrapper,
 	logger log.Logger,
 ) func(conn ssh.ConnMetadata, password []byte) (*ssh.Permissions, error) {
+	ok, val := meta.AuthenticationMethods[metadata.AuthMethodPassword]
+	if !ok || !val {
+		return nil
+	}
+
 	passwordHandler := s.createPasswordAuthenticator(meta, handlerNetworkConnection, logger)
 	passwordCallback := func(conn ssh.ConnMetadata, password []byte) (*ssh.Permissions, error) {
 		permissions, authenticatedMetadata, err := passwordHandler(conn, password)
@@ -540,11 +555,12 @@ func (s *serverImpl) handleConnection(conn net.Conn) {
 		WithLabel("remoteAddr", addr.IP.String()).
 		WithLabel("connectionId", connectionID)
 	connectionMeta := metadata.ConnectionMetadata{
-		RemoteAddress: metadata.RemoteAddress(*addr),
-		ConnectionID:  connectionID,
-		Metadata:      map[string]metadata.Value{},
-		Environment:   map[string]metadata.Value{},
-		Files:         map[string]metadata.BinaryValue{},
+		RemoteAddress:         metadata.RemoteAddress(*addr),
+		ConnectionID:          connectionID,
+		AuthenticationMethods: map[metadata.AuthMethod]bool{},
+		Metadata:              map[string]metadata.Value{},
+		Environment:           map[string]metadata.Value{},
+		Files:                 map[string]metadata.BinaryValue{},
 	}
 
 	handlerNetworkConnection, connectionMeta, err := s.handler.OnNetworkConnection(connectionMeta)

diff --git a/metadata/connection.go b/metadata/connection.go
@@ -79,6 +79,14 @@ func (r *RemoteAddress) UnmarshalText(input []byte) error {
 	return nil
 }
 
+type AuthMethod string
+
+const (
+	AuthMethodPassword AuthMethod = "password"
+	AuthMethodPubKey AuthMethod = "publickey"
+	AuthMethodKeyboardInteractive AuthMethod = "keyboard-interactive"
+)
+
 // ConnectionMetadata holds a metadata structure passed around with a metadata. Its main purpose is to allow an
 // authentication or authorization module to configure data exposed to the configuration server or the backend.
 //
@@ -96,6 +104,10 @@ type ConnectionMetadata struct {
 	// in: body
 	ConnectionID string `json:"connectionId"`
 
+	// AuthenticationMethods are the authentication methods that can be
+	// used to authenticate this connection
+	AuthenticationMethods map[AuthMethod]bool `json:"-"`
+
 	// Metadata is a set of key-value pairs that carry additional information from the authentication and configuration
 	// system to the backends. Backends can expose this information as container labels, environment variables, or
 	// other places.