[go-nuts] Re: How to implement 2-factor-auth with x/crypto/ssh?

Tue, 08 Nov 2016 19:39:28 -0800 

I have to modify `x/crypto/ssh` to implement the PartialSuccess support.

https://gist.github.com/thinxer/637acd43480174fede118704f27530a6

The above gist comes with two implementations. One is to add a callback, 
another is to add a PartialSuccess error flag. The former give more control 
to the user.

These are not perfect though. Personally I'd like to abstract the 
authentication callbacks into an interface (ServerAuthenticator), and make 
the ServerConfig make a ServerAuthenticator for each SSH connection. This 
way it would be easier to implement stateful authentication processes.

On Tuesday, November 8, 2016 at 11:12:59 PM UTC+8, Jianfei Wang wrote:
>
> I'm using the `x/crypto/ssh` package to implement a custom SSH server. 
>
> I need to do 2 factor authentication: publickey and keyboard-interactive. 
>  However, it seems that I cannot make `ssh.ServerConfig` require both 
> callbacks. The SSH handshake completes when any of the callback passes.
>
> What I want is the following authentication process: first ask for a valid 
> public key, then ask for an OTP token. It seems impossible to do so with 
> x/crypto/ssh.
>
> Here's a what a properly configured OpenSSH server would do:
>
> ```
> debug1: Authentications that can continue: publickey
> debug1: Next authentication method: publickey
> debug1: Offering RSA public key: /Users/thinxer/.ssh/id_rsa
> debug1: Server accepts key: pkalg ssh-rsa blen 279
> Authenticated with partial success.
> debug1: Authentications that can continue: keyboard-interactive
> debug1: Next authentication method: keyboard-interactive
> Verification code:
> ```
>
> What I came up is the following snippet:
>
> ```
> pubkeyAccepted := false
> config := &ssh.ServerConfig{
>     PublickKeyCalllback: func(...) { 
>         // check and set pubkeyAccepted, but return an error always.
>     },
>     KeyboardInteractiveCallback: func(...) {
>         if pubkeyAccepted {
>             // proceed with keyboard challenge
>         }
>     },
> }
> ```
>
> It works somehow. However, the client won't get a "Authenticated with 
> partial success." message with the above method.
>
> Is there any better way to implement this?
>
> Thanks!
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to