Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Single authentication attempt and time out. #623

Closed
wants to merge 1 commit into from
Closed

Single authentication attempt and time out. #623

wants to merge 1 commit into from

Conversation

dbeliakov-r7
Copy link

When authenticating with a script which uses the same password every time, the consecutive attempts with the incorrect password give the same result.
This change adds a preference for a single authentication attempt. When enabled, authentication ends after the first failure and doesn't ask to retry.

Additionally, when time out is set in the session, authentication shouldn't take longer than this time out.

@norrisjeremy
Copy link
Contributor

I don't fully grasp what this change is attempting to fix: can you provide a more concrete example of what the issue is and how this solves it?

norrisjeremy
norrisjeremy suggested changes Aug 16, 2024
View reviewed changes
src/main/java/com/jcraft/jsch/UserAuthKeyboardInteractive.java Outdated
@@ -193,4 +204,9 @@ public boolean start(Session session) throws Exception {
}
// return false;
}

private boolean isMaxFailuresReached(int initial, int current) {
return Boolean.parseBoolean(JSch.getConfig("user_auth_keyboard_interactive_single_attempt"))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to use session.getConfig(), not JSch.getConfig() so that it can be set on a per Session basis.

I believe you also need to add the config item to Session.applyConfig() via a Session.checkConfig() call.
See

jsch/src/main/java/com/jcraft/jsch/Session.java

Line 3207 in d064f44

checkConfig(config, "use_sftp_write_flush_workaround");
.

src/main/java/com/jcraft/jsch/UserAuthPassword.java Outdated

// Do not ask re-entering password after the first failure. Useful when authenticating
// with a script that uses the same password every time.
if (Boolean.parseBoolean(JSch.getConfig("user_auth_single_attempt"))) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to use session.getConfig(), not JSch.getConfig() so that it can be set on a per Session basis.

I believe you also need to add the config item to Session.applyConfig() via a Session.checkConfig() call.
See

jsch/src/main/java/com/jcraft/jsch/Session.java

Line 3207 in d064f44

checkConfig(config, "use_sftp_write_flush_workaround");
.

@dbeliakov-r7
Copy link
Author

Thanks for the quick reply and review 👍
So, the intent is to reduce time spent on auth by removing unnecessary steps. With the time out, I set time out to the session, but the auth could spend more time in that loop that time-out allows.

Regarding the single attempt, the example is when I use a script and it has an incorrect password I want to fail fast and don't retry because for the next attempt the script will pass the same password and the result will be same, just more time spent.

Actually, now it seems that the config option is redundant and the same could be achieved by

if (session.auth_failures >= session.max_auth_tries) {
          return false;
}

as it is done in UserAuthPassword, just need to add that to keyboard interactive and then use max_auth_retries to limit retries.

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Aug 19, 2024

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@norrisjeremy norrisjeremy norrisjeremy requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dbeliakov-r7 @norrisjeremy