php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #61760 ssh2_auth_password to support keyboard_interactive auth
Submitted: 2012-04-18 06:27 UTC Modified: 2012-06-16 22:10 UTC
From: a dot guptagoa at gmail dot com Assigned: langemeijer (profile)
Status: Closed Package: ssh2 (PECL)
PHP Version: 5.3.10 OS: Unix
Private report: No CVE-ID: None
View Developer Edit
 [2012-04-18 06:27 UTC] a dot guptagoa at gmail dot com 
Description:
------------
keyboard_interactive auth not supported. The below patch will fix the issues on 
FreeBSD as well (Bug #54916).

/* Uses the function libssh2_userauth_list to fetch auth modes and if keyboard_interactive is found uses libssh2_userauth_keyboard_interactive method to fill in the response text. Changed function PHP_FUNCTION(ssh2_auth_password).*/

char *password_key = "gbVer4TG";
char *userauthlist;

static void kbd_callback(const char *name, int name_len,
        const char *instruction, int instruction_len,
        int num_prompts,
        const LIBSSH2_USERAUTH_KBDINT_PROMPT *prompts,
        LIBSSH2_USERAUTH_KBDINT_RESPONSE *responses,
        void **abstract) {

    responses[0].text = password_key;
    responses[0].length = strlen(password_key);

}

PHP_FUNCTION(ssh2_auth_password) {
    LIBSSH2_SESSION *session;
    zval *zsession;
    char *username, *password;
    int username_len, password_len;

    if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rss", &zsession, &username, &username_len, &password, &password_len) == FAILURE) {
        RETURN_FALSE;
    }

    ZEND_FETCH_RESOURCE(session, LIBSSH2_SESSION*, &zsession, -1, PHP_SSH2_SESSION_RES_NAME, le_ssh2_session);
    userauthlist = libssh2_userauth_list(session, username, username_len);
    /* TODO: Support password change callback */
    password_key = password;
    if (strstr(userauthlist, "keyboard-interactive") != NULL) {


        if (libssh2_userauth_keyboard_interactive(session, username, &kbd_callback) == 0) {
            RETURN_TRUE;
        } else {
            php_error_docref(NULL TSRMLS_CC, E_WARNING, "Authentication failed for %s using password", username);
            RETURN_FALSE;
        }
    } else {
        if (libssh2_userauth_password_ex(session, username, username_len, password_key, strlen(password_key), NULL)) {


            php_error_docref(NULL TSRMLS_CC, E_WARNING, "Authentication failed for %s using password", username);
            RETURN_FALSE;

        }
    }

    RETURN_TRUE;
}


/* After applying this patch all the SSH auth modes are now supported by the library*/

Test Script remains the same as below.

Test script:
---------------
<?php
/* The SSh server must have keyboard_interactive login only.
To check the existing auth types we can use ssh2_auth_none which returns an array of auth types. Without the patch the ssh2_auth_password will return failure*/
function connect() 
{

        $host = "192.168.169.100"; //to be replaced with test ip
        $port = "22";
        $username = "username";
        $password = "password";
        $this->connection = @ssh2_connect($host, $port);
        if ($this->connection or die("Undefined Host $host")) {
           if (!@ssh2_auth_password($this->connection, $username, $password)) 
           {
             $auth_methods = ssh2_auth_none($this->connection, $username);
             print_r($auth_methods);
             echo "Auth Failed";
             return 0;
           }  
           else
           {
             echo "Auth Suucess";
             return 1;
           }  
        } else {
            echo "Could not connect to $host on port $port.";
            return 0;
        }
}



Expected result:
----------------
Auth Success

Actual result:
--------------
Auth failed

Patches

keyboard_interactive_method (last revision 2012-06-14 15:38 UTC by langemeijer@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-05-18 06:32 UTC] crater600 at gmail dot com 
hi thanks for the above fix i was waiting for years....
The above fix works fine with..

$stream = ssh2_exec($this->connection, trim($command), FALSE);

but my problem is when is use..
 
$sftp = ssh2_sftp($this->connection);

its not able to connect.
pls do help...
 [2012-06-14 15:38 UTC] langemeijer@php.net 
The following patch has been added/updated:

Patch Name: keyboard_interactive_method
Revision:   1339688308
URL:        https://bugs.php.net/patch-display.php?bug=61760&patch=keyboard_interactive_method&revision=1339688308
 [2012-06-14 15:40 UTC] langemeijer@php.net 
I created a proper patch file from the ssh2.c file uploaded by a dot guptagoa at 
gmail dot com.

I'm not sure what to do with this patch. Will come back on this later.
 [2012-06-14 19:57 UTC] langemeijer@php.net 
I'm still not sure what to do. Here are my thought so far.

This patch implements password authentication over keyboard-interactive. Which is 
not the intention of the keyboard-interactive authentication system.

The emphasis with keyboard-interactive is on interactive. OpenSSH calls it 
Challenge-Response authentication which is a far better name for it. It's purpose 
is to present the client with an 'instruction' on which the user forms a 
'response'. You can imagine this could be implemented by using a TAN list and a 
keyboard, but also with a smartcard device.

For keyboard-interactive authentication to be fully implemented, we would need to 
implement a callback function. Your patch does not implement that. Your statement 
"After applying this patch all the SSH auth modes are now supported by the 
library" is therefore not entirely true.

We need a ssh2_auth_keyboard_interactive() function to be implemented.

Still, I can see that trying keyboard-interactive to send the password in the 
ssh2_auth_password() function could still be useful. From the bug reports it seems 
that FreeBSD's OpenSSH is configured to allow for such a setup, and denies normal 
password authentication.

I'm not sure if I want it to be default behaviour of the ssh2_auth_password() 
function though. At least there should be a parameter to switch it off.

Please feel free to share your thoughts on this.
 [2012-06-15 01:45 UTC] a dot guptagoa at gmail dot com 
Hi,

The following call to the LIBSSH2 API:-
libssh2_userauth_keyboard_interactive(session, username, &kbd_callback)

and kbd_callback
static void kbd_callback(const char *name, int name_len,
        const char *instruction, int instruction_len,
        int num_prompts,
        const LIBSSH2_USERAUTH_KBDINT_PROMPT *prompts,
        LIBSSH2_USERAUTH_KBDINT_RESPONSE *responses,
        void **abstract)

will take care of the Keyboard authentication. The Purpose of the patch was to authenticate such connection without the user being bothered to know what mode does SSH2 server supports.

The pathch checks whether keyboard_authentication is available in the negotiation list and utilize the LIBSSH2 APIs.

Regards
 [2012-06-16 22:06 UTC] langemeijer@php.net 
Automatic comment from SVN on behalf of langemeijer
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=326198
Log: Added keyboard-interactive to ssh2_auth_password() - closes bug #61760 and bug #54916
 [2012-06-16 22:10 UTC] langemeijer@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: langemeijer
 [2012-06-16 22:10 UTC] langemeijer@php.net 
There were a number of things wrong with the patch you supplied.
- Normal password authentication was not tried if keyboard-interactive was 
available but failed.
- It caused segfault because of a missing strdup()

See the svn commit for my take on it.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri May 09 03:01:30 2025 UTC