0

I am trying to connect an Objective-Git/libgit2 app over SSH to a remote running mscdex's Node ssh2 server, using key pairs.

The libgit2 app can connect to sshd on the server and implement push. It is implementing libgit2's git_cred_ssh_key_new and then git_remote_connect.

However, when the app attempts to connect to the ssh2 server, the server accepts the ssh-userauth service, but at the ssh-connection service the method type is 'none', rather than 'publickey'.

Alternatively, when I connect to the ssh2 server using git (rather than the app via libgit2), the ssh2 server accepts the ssh-connection service and implements method type 'publickey'.

So, I'm not sure where the problem lies: in the libgit2 implementation of the 'publickey' method type, or the ssh2 server falling through to method type 'none'.

Any pointers or help is greatly appreciated. Thanks.

ssh2 server (example server):

new ssh2.Server({
  hostKeys: [fs.readFileSync('/Users/almccann/Sites/thenewpop/ssh2server/host_rsa')],
  debug: function (cfg) {
    console.log('debug', cfg);
  }
}, function(client) {
  console.log('Client connected!');
  client.on('authentication', function(ctx) {
    // ctx.method === 'none', no ctx.key
    if (ctx.method === 'publickey'
         && ctx.key.algo === pubKey.fulltype
         && buffersEqual(ctx.key.data, pubKey.public)) {
      if (ctx.signature) {
        var verifier = crypto.createVerify(ctx.sigAlgo);
        verifier.update(ctx.blob);
        if (verifier.verify(pubKey.publicOrig, ctx.signature))
          ctx.accept();
        else
          ctx.reject();
      } else {
        ctx.accept();
      }
    } else
      ctx.reject();
  }).on('ready', function() {
    console.log('Client authenticated!');
  }).on('end', function() {
    console.log('Client disconnected');
  });
})
.listen(22, '127.0.0.1', function() {
  console.log('Listening on port ' + this.address().port);
});
Improve this question
2
  • You should probably show relevant code to help others understand what you're talking about. Commented Apr 27, 2016 at 21:28
  • @mscdex see code samples, although this seems to be issue at framework / library level. Commented Apr 27, 2016 at 22:33

1 Answer 1

Reset to default
1

The none authentication method is basically what it sounds like, it's just an authentication method that allows clients access to the server without providing any kind of credentials or other information. That is why there is no ctx.key in that case.

Most servers will relay valid authentication methods back to the client when rejecting an authentication method, but this is not required (although some clients specifically rely on this, which is actually a bad thing). Assuming the ssh client is expecting this list, you can do something like this to signal you only accept publickey authentication:

client.on('authentication', function(ctx) {
  if (ctx.method === 'publickey'
      && ctx.key.algo === pubKey.fulltype
      && buffersEqual(ctx.key.data, pubKey.public)) {
    if (ctx.signature) {
      var verifier = crypto.createVerify(ctx.sigAlgo);
      verifier.update(ctx.blob);
      if (verifier.verify(pubKey.publicOrig, ctx.signature))
        ctx.accept();
      else
        ctx.reject();
    } else {
      ctx.accept();
    }
  } else
    ctx.reject(['publickey']); // <==============
});
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Okay, great thank you @mscdex. That's interesting that you pass list of accepted methods to reject. At the method none state, is the client effectively polling the server to see what methods are accepting. Assuming the server handled the case none, it would then move to highest priority type, which may be publickey?
Yes, when most clients request none they are doing so for two reasons: to be automatically authenticate with the least amount of effort (unlikely to happen for security reasons) and to find out what "actual" methods the server is allowing clients to proceed with. There is no defined/standardized order for the methods, but I would guess most clients that do use those method lists returned by the server typically start from left to right.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.