in src/common-ssh/ssh.c [286:416]
static int guac_common_ssh_authenticate(guac_common_ssh_session* common_session) {
guac_client* client = common_session->client;
guac_common_ssh_user* user = common_session->user;
LIBSSH2_SESSION* session = common_session->session;
/* Get user credentials */
guac_common_ssh_key* key = user->private_key;
char* public_key = user->public_key;
/* Validate username provided */
if (user->username == NULL) {
guac_client_abort(client, GUAC_PROTOCOL_STATUS_CLIENT_UNAUTHORIZED,
"SSH authentication requires a username.");
return 1;
}
/* Get list of supported authentication methods */
size_t username_len = strlen(user->username);
char* user_authlist = libssh2_userauth_list(session, user->username,
username_len);
/* If auth list is NULL, then authentication has succeeded with NONE */
if (user_authlist == NULL) {
guac_client_log(client, GUAC_LOG_DEBUG,
"SSH NONE authentication succeeded.");
return 0;
}
guac_client_log(client, GUAC_LOG_DEBUG,
"Supported authentication methods: %s", user_authlist);
/* Authenticate with private key, if provided */
if (key != NULL) {
/* Check if public key auth is supported on the server */
if (strstr(user_authlist, "publickey") == NULL) {
guac_client_abort(client, GUAC_PROTOCOL_STATUS_CLIENT_UNAUTHORIZED,
"Public key authentication is not supported by "
"the SSH server");
return 1;
}
int public_key_length = public_key == NULL ? 0 : strlen(public_key);
/* Attempt public key auth */
if (libssh2_userauth_publickey_frommemory(session, user->username,
username_len, public_key, public_key_length, key->private_key,
key->private_key_length, key->passphrase)) {
/* Abort on failure */
char* error_message;
libssh2_session_last_error(session, &error_message, NULL, 0);
guac_client_abort(client, GUAC_PROTOCOL_STATUS_CLIENT_UNAUTHORIZED,
"Public key authentication failed: %s", error_message);
return 1;
}
/* Private key authentication succeeded */
return 0;
}
/* Attempt authentication with username + password. */
if (user->password == NULL && common_session->credential_handler)
user->password = common_session->credential_handler(client, "Password: ");
/* Authenticate with password, if provided */
if (user->password != NULL) {
/* Check if password auth is supported on the server */
if (strstr(user_authlist, "password") != NULL) {
/* Attempt password authentication */
if (libssh2_userauth_password(session, user->username, user->password)) {
/* Abort on failure */
char* error_message;
libssh2_session_last_error(session, &error_message, NULL, 0);
guac_client_abort(client,
GUAC_PROTOCOL_STATUS_CLIENT_UNAUTHORIZED,
"Password authentication failed: %s", error_message);
return 1;
}
/* Password authentication succeeded */
return 0;
}
/* Check if keyboard-interactive auth is supported on the server */
if (strstr(user_authlist, "keyboard-interactive") != NULL) {
/* Attempt keyboard-interactive auth using provided password */
if (libssh2_userauth_keyboard_interactive(session, user->username,
&guac_common_ssh_kbd_callback)) {
/* Abort on failure */
char* error_message;
libssh2_session_last_error(session, &error_message, NULL, 0);
guac_client_abort(client,
GUAC_PROTOCOL_STATUS_CLIENT_UNAUTHORIZED,
"Keyboard-interactive authentication failed: %s",
error_message);
return 1;
}
/* Keyboard-interactive authentication succeeded */
return 0;
}
/* No known authentication types available */
guac_client_abort(client, GUAC_PROTOCOL_STATUS_CLIENT_UNAUTHORIZED,
"Password and keyboard-interactive authentication are not "
"supported by the SSH server");
return 1;
}
/* No credentials provided */
guac_client_abort(client, GUAC_PROTOCOL_STATUS_CLIENT_UNAUTHORIZED,
"SSH authentication requires either a private key or a password.");
return 1;
}