Bug#1477: x2goclient doesn't prompt for password after authentication failure if server is using google-authenticator
Package: x2goclient Version: 4.1.2.2
I have installed Google Authenticator on my x2go server, and use keyboard-interactive for ssh passwords. If I mistype my password in x2goclient, it won't offer me another password prompt, but repeatedly asks for the Verification code until sshd on the server gets bored and closes the connection.
Expected behaviour: if the login is not successful, prompt for both password and verification code again.
x2goserver: Scientific Linux 7.7 - 3.10.0-1062.12.1.el7.x86_64 x2goclient: Fedora 32 - 5.6.14-300.fc32.x86_64
Cheers Toby
Hi
I've now got some debug output (from an ubuntu VM, --debug doesn't work for me on fedora). With the correct password and validation code:
x2go-DEBUG-../src/sshmasterconnection.cpp:1207> Challenge authentication requested. x2go-DEBUG-../src/sshmasterconnection.cpp:1085> Have prompts: 1 x2go-DEBUG-../src/sshmasterconnection.cpp:1089> Prompt[0]: |Password: | x2go-DEBUG-../src/sshmasterconnection.cpp:1093> Password request x2go-DEBUG-../src/sshmasterconnection.cpp:1085> Have prompts: 1 x2go-DEBUG-../src/sshmasterconnection.cpp:1089> Prompt[0]: |Verification code: | x2go-DEBUG-../src/sshmasterconnection.cpp:1109> Checking against known prompt #0: "Verification code:" x2go-DEBUG-../src/sshmasterconnection.cpp:1129> Verification code request x2go-DEBUG-../src/sshmasterconnection.cpp:1085> Have prompts: 0 x2go-DEBUG-../src/sshmasterconnection.cpp:1171> Challenge authentication OK. x2go-DEBUG-../src/sshmasterconnection.cpp:687> User authentication OK. x2go-DEBUG-../src/sshmasterconnection.cpp:1708> LOGIN CHECK:"LOGIN OK\r\n" x2go-DEBUG-../src/sshmasterconnection.cpp:1711> don't have interaction x2go-DEBUG-../src/sshmasterconnection.cpp:1744> LOOP FINISHED x2go-DEBUG-../src/sshmasterconnection.cpp:1748> No interaction needed, continue session x2go-DEBUG-../src/sshmasterconnection.cpp:702> Login Check - OK x2go-DEBUG-../src/onmainwindow.cpp:2947> SSH connection established.
But with an incorrect password, I only get repeated Verification code prompts:
x2go-DEBUG-../src/sshmasterconnection.cpp:1207> Challenge authentication requested. x2go-DEBUG-../src/sshmasterconnection.cpp:1085> Have prompts: 1 x2go-DEBUG-../src/sshmasterconnection.cpp:1089> Prompt[0]: |Password: | x2go-DEBUG-../src/sshmasterconnection.cpp:1093> Password request x2go-DEBUG-../src/sshmasterconnection.cpp:1085> Have prompts: 1 x2go-DEBUG-../src/sshmasterconnection.cpp:1089> Prompt[0]: |Verification code: | x2go-DEBUG-../src/sshmasterconnection.cpp:1109> Checking against known prompt #0: "Verification code:" x2go-DEBUG-../src/sshmasterconnection.cpp:1129> Verification code request x2go-DEBUG-../src/sshmasterconnection.cpp:1085> Have prompts: 1 x2go-DEBUG-../src/sshmasterconnection.cpp:1089> Prompt[0]: |Password: | x2go-DEBUG-../src/sshmasterconnection.cpp:1093> Password request x2go-DEBUG-../src/sshmasterconnection.cpp:1085> Have prompts: 1 x2go-DEBUG-../src/sshmasterconnection.cpp:1089> Prompt[0]: |Verification code: | x2go-DEBUG-../src/sshmasterconnection.cpp:1109> Checking against known prompt #0: "Verification code:" x2go-DEBUG-../src/sshmasterconnection.cpp:1129> Verification code request x2go-DEBUG-../src/sshmasterconnection.cpp:1085> Have prompts: 1 x2go-DEBUG-../src/sshmasterconnection.cpp:1089> Prompt[0]: |Password: | x2go-DEBUG-../src/sshmasterconnection.cpp:1093> Password request x2go-DEBUG-../src/sshmasterconnection.cpp:1085> Have prompts: 1 x2go-DEBUG-../src/sshmasterconnection.cpp:1089> Prompt[0]: |Verification code: | x2go-DEBUG-../src/sshmasterconnection.cpp:1109> Checking against known prompt #0: "Verification code:" x2go-DEBUG-../src/sshmasterconnection.cpp:1129> Verification code request x2go-DEBUG-../src/sshmasterconnection.cpp:1085> Have prompts: 1 x2go-DEBUG-../src/sshmasterconnection.cpp:1089> Prompt[0]: |Password: | x2go-DEBUG-../src/sshmasterconnection.cpp:1093> Password request
In fact further testing shows the same behaviour if you get either your password or verification code wrong first time - a "Verification code" loop that you can't get out of even if the password was correct and the first verification code wasn't.
On Thu, Jun 11, 2020 at 11:32 AM Toby <anothercoffee@googlemail.com> wrote:
Hi
I've now got some debug output (from an ubuntu VM, --debug doesn't work for me on fedora). With the correct password and validation code:
x2go-DEBUG-../src/sshmasterconnection.cpp:1207> Challenge authentication requested. x2go-DEBUG-../src/sshmasterconnection.cpp:1085> Have prompts: 1 x2go-DEBUG-../src/sshmasterconnection.cpp:1089> Prompt[0]: |Password: | x2go-DEBUG-../src/sshmasterconnection.cpp:1093> Password request x2go-DEBUG-../src/sshmasterconnection.cpp:1085> Have prompts: 1 x2go-DEBUG-../src/sshmasterconnection.cpp:1089> Prompt[0]: |Verification code: | x2go-DEBUG-../src/sshmasterconnection.cpp:1109> Checking against known prompt #0: "Verification code:" x2go-DEBUG-../src/sshmasterconnection.cpp:1129> Verification code request x2go-DEBUG-../src/sshmasterconnection.cpp:1085> Have prompts: 0 x2go-DEBUG-../src/sshmasterconnection.cpp:1171> Challenge authentication OK. x2go-DEBUG-../src/sshmasterconnection.cpp:687> User authentication OK. x2go-DEBUG-../src/sshmasterconnection.cpp:1708> LOGIN CHECK:"LOGIN OK\r\n" x2go-DEBUG-../src/sshmasterconnection.cpp:1711> don't have interaction x2go-DEBUG-../src/sshmasterconnection.cpp:1744> LOOP FINISHED x2go-DEBUG-../src/sshmasterconnection.cpp:1748> No interaction needed, continue session x2go-DEBUG-../src/sshmasterconnection.cpp:702> Login Check - OK x2go-DEBUG-../src/onmainwindow.cpp:2947> SSH connection established.
But with an incorrect password, I only get repeated Verification code prompts:
x2go-DEBUG-../src/sshmasterconnection.cpp:1207> Challenge authentication requested. x2go-DEBUG-../src/sshmasterconnection.cpp:1085> Have prompts: 1 x2go-DEBUG-../src/sshmasterconnection.cpp:1089> Prompt[0]: |Password: | x2go-DEBUG-../src/sshmasterconnection.cpp:1093> Password request x2go-DEBUG-../src/sshmasterconnection.cpp:1085> Have prompts: 1 x2go-DEBUG-../src/sshmasterconnection.cpp:1089> Prompt[0]: |Verification code: | x2go-DEBUG-../src/sshmasterconnection.cpp:1109> Checking against known prompt #0: "Verification code:" x2go-DEBUG-../src/sshmasterconnection.cpp:1129> Verification code request x2go-DEBUG-../src/sshmasterconnection.cpp:1085> Have prompts: 1 x2go-DEBUG-../src/sshmasterconnection.cpp:1089> Prompt[0]: |Password: | x2go-DEBUG-../src/sshmasterconnection.cpp:1093> Password request x2go-DEBUG-../src/sshmasterconnection.cpp:1085> Have prompts: 1 x2go-DEBUG-../src/sshmasterconnection.cpp:1089> Prompt[0]: |Verification code: | x2go-DEBUG-../src/sshmasterconnection.cpp:1109> Checking against known prompt #0: "Verification code:" x2go-DEBUG-../src/sshmasterconnection.cpp:1129> Verification code request x2go-DEBUG-../src/sshmasterconnection.cpp:1085> Have prompts: 1 x2go-DEBUG-../src/sshmasterconnection.cpp:1089> Prompt[0]: |Password: | x2go-DEBUG-../src/sshmasterconnection.cpp:1093> Password request x2go-DEBUG-../src/sshmasterconnection.cpp:1085> Have prompts: 1 x2go-DEBUG-../src/sshmasterconnection.cpp:1089> Prompt[0]: |Verification code: | x2go-DEBUG-../src/sshmasterconnection.cpp:1109> Checking against known prompt #0: "Verification code:" x2go-DEBUG-../src/sshmasterconnection.cpp:1129> Verification code request x2go-DEBUG-../src/sshmasterconnection.cpp:1085> Have prompts: 1 x2go-DEBUG-../src/sshmasterconnection.cpp:1089> Prompt[0]: |Password: | x2go-DEBUG-../src/sshmasterconnection.cpp:1093> Password request
I appreciate the whole ssh connection process is hairy as ****, and thinking I've got a proper fix after a couple of hours poking about looking at a single use case is naive, but the removal of one line gets the behaviour I expect: if either the password or verification code are incorrect, restart the authentication process diff --git a/src/sshmasterconnection.cpp b/src/sshmasterconnection.cpp index 667e0ef..34045de 100644 --- a/src/sshmasterconnection.cpp +++ b/src/sshmasterconnection.cpp @@ -1127,7 +1127,7 @@ bool SshMasterConnection::userChallengeAuth() if (has_challenge_auth_code_prompt) { x2goDebug<<"Verification code request"<<endl; - challengeAuthPasswordAccepted=true; + // challengeAuthPasswordAccepted=true; if(challengeAuthVerificationCode == QString::null) { keyPhraseReady=false; This also works in the case of using an ssh proxy server with google-authenticator. Cheers Toby
Can someone please incorporate this fix? Uli ---------- Forwarded message --------- From: Toby <anothercoffee@googlemail.com> Date: Thu, Jun 18, 2020 at 11:52 AM Subject: [X2Go-Dev] Bug#1477: Debug output To: <1477@bugs.x2go.org> I appreciate the whole ssh connection process is hairy as ****, and thinking I've got a proper fix after a couple of hours poking about looking at a single use case is naive, but the removal of one line gets the behaviour I expect: if either the password or verification code are incorrect, restart the authentication process diff --git a/src/sshmasterconnection.cpp b/src/sshmasterconnection.cpp index 667e0ef..34045de 100644 --- a/src/sshmasterconnection.cpp +++ b/src/sshmasterconnection.cpp @@ -1127,7 +1127,7 @@ bool SshMasterConnection::userChallengeAuth() if (has_challenge_auth_code_prompt) { x2goDebug<<"Verification code request"<<endl; - challengeAuthPasswordAccepted=true; + // challengeAuthPasswordAccepted=true; if(challengeAuthVerificationCode == QString::null) { keyPhraseReady=false; This also works in the case of using an ssh proxy server with google-authenticator. Cheers Toby _______________________________________________ x2go-dev mailing list x2go-dev@lists.x2go.org https://lists.x2go.org/listinfo/x2go-dev
Thanks for the patch. I have forwarded this to the x2go-dev list. I hope it will be integrated soon. Uli On Thu, Jun 18, 2020 at 11:52 AM Toby <anothercoffee@googlemail.com> wrote:
I appreciate the whole ssh connection process is hairy as ****, and thinking I've got a proper fix after a couple of hours poking about looking at a single use case is naive, but the removal of one line gets the behaviour I expect: if either the password or verification code are incorrect, restart the authentication process
diff --git a/src/sshmasterconnection.cpp b/src/sshmasterconnection.cpp index 667e0ef..34045de 100644 --- a/src/sshmasterconnection.cpp +++ b/src/sshmasterconnection.cpp @@ -1127,7 +1127,7 @@ bool SshMasterConnection::userChallengeAuth() if (has_challenge_auth_code_prompt) { x2goDebug<<"Verification code request"<<endl;
challengeAuthPasswordAccepted=true;
// challengeAuthPasswordAccepted=true; if(challengeAuthVerificationCode == QString::null) { keyPhraseReady=false;This also works in the case of using an ssh proxy server with google-authenticator.
Cheers Toby
x2go-dev mailing list x2go-dev@lists.x2go.org https://lists.x2go.org/listinfo/x2go-dev
-
Toby -
Ulrich Sibiller