proposal: x/crypto/ssh: expose missing none authmethod

[tg123]

no api to generate none AuthMethod
expose none to public

[ianlancetaylor]

In https://go.dev/cl/528637 the suggested API is

// None return an AuthMethod using "none" authentication defined in RFC 4252 section 5.2.
func None() AuthMethod {

[tg123]

golang/crypto#272

[hanwen]

Can you explain why you want to expose the None authmethod? TestClientAuthNone shows how to use the None auth method; it doesn't need client-side configuration.

[tg123]

@hanwen allow client side to send non-auth on their own like password or key
for example, send non after password. this is useful in special client impl

[drakkan]

@tg123 thanks for this proposal, can you please provide a real use case for this? For example a server that requires sending the none auth method after the password.

The none auth method is generally used initially just to list the authentication methods that can continue and this is what we already do in our client implementation. As you can see here, none auth is implicitly added to the configured authentication methods.

[ShimantaKB-Tunnel]

@tg123 thanks for this proposal, can you please provide a real use case for this? For example a server that requires sending the none auth method after the password.

The none auth method is generally used initially just to list the authentication methods that can continue and this is what we already do in our client implementation. As you can see here, none auth is implicitly added to the configured authentication methods.

If there a way to control the auth to 'not' perform the none auth method, if we already know the list of auth methods the server allows? If the server disallows none auth method, and also doesn't return the auth methods it allows, the auth fails with only the none auth method attempted.

[hanwen]

If there a way to control the auth to 'not' perform the none auth method

what are you trying to do? Why do you need this?

[ShimantaKB-Tunnel]

If there a way to control the auth to 'not' perform the none auth method

what are you trying to do? Why do you need this?

I am using the ssh module to connect and authenticate to an FTP server, using public key authentication method.
The server is disallowing the none auth method, and also doesn't return the auth methods it allows, so the auth fails with only the none auth method attempted.
The ssh.Dial call fails with this error, which shows that the public key auth was not even attempted
ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain

Here's the method in my application which performs the auth :

func (s TestConnectionService) authWithPublicKey(username string, key string, hostname string, hostkey string, port string, request_id string) (*sftp.Client, error) {
	err := s.testDialWithPubKeyAuth(username, key, hostname, hostkey, port, request_id)
	if err != nil {
		return &sftp.Client{}, err
	}

	hostKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(hostkey))
	if err != nil {
		s.zapLogger.Error(dto.LogMessageDTO{
			Request_id: request_id,
			Fun_name:   "authWithPublicKey",
			Class_name: "TestConnectionService",
			Err:        err,
			Message:    "Failed parsing host key",
		})
		return &sftp.Client{}, err
	}

	signer, err := ssh.ParsePrivateKey([]byte(key))
	if err != nil {
		s.zapLogger.Error(dto.LogMessageDTO{
			Request_id: request_id,
			Fun_name:   "authWithPublicKey",
			Class_name: "TestConnectionService",
			Err:        err,
			Message:    "Failed to parse private key",
		})
		return &sftp.Client{}, err
	}

	// Create custom banner callback that ignores the banner
	bannerCallback := func(message string) error {
		return nil
	}

	// Open SFTP connection
	config := &ssh.ClientConfig{
		User: username,
		Auth: []ssh.AuthMethod{
			ssh.PublicKeys(signer),
		},
		HostKeyCallback:   ssh.FixedHostKey(hostKey),
		HostKeyAlgorithms: []string{ssh.KeyAlgoRSA, ssh.KeyAlgoRSASHA256, ssh.KeyAlgoRSASHA512},
		BannerCallback:    bannerCallback,
	}

	conn, err := ssh.Dial("tcp", hostname+":"+port, config)
	if err != nil {
		s.zapLogger.Error(dto.LogMessageDTO{
			Request_id: request_id,
			Fun_name:   "authWithPublicKey",
			Class_name: "TestConnectionService",
			Err:        err,
			Message:    "Failed to dial",
		})
		return &sftp.Client{}, err
	}

	client, err := sftp.NewClient(conn)
	if err != nil {
		s.zapLogger.Error(dto.LogMessageDTO{
			Request_id: request_id,
			Fun_name:   "authWithPublicKey",
			Class_name: "TestConnectionService",
			Err:        err,
			Message:    "Failed to create SFTP client",
		})
		return &sftp.Client{}, err
	}

	return client, nil
}

Looking at the clientAuthenticate method in ssh.client_auth.go, the other auth methods passed in the config are not tried if there are no methods returned in the initial none auth attempt. Please advise if my understanding is incorrect:

// during the authentication phase the client first attempts the "none" method
	// then any untried methods suggested by the server.
	var tried []string
	var lastMethods []string

	sessionID := c.transport.getSessionID()
	for auth := AuthMethod(new(noneAuth)); auth != nil; {
		ok, methods, err := auth.auth(sessionID, config.User, c.transport, config.Rand, extensions)
		if err != nil {
			// We return the error later if there is no other method left to
			// try.
			ok = authFailure
		}
		if ok == authSuccess {
			// success
			return nil
		} else if ok == authFailure {
			if m := auth.method(); !contains(tried, m) {
				tried = append(tried, m)
			}
		}
		if methods == nil {
			methods = lastMethods
		}
		lastMethods = methods

		auth = nil

	findNext:
		for _, a := range config.Auth {
			candidateMethod := a.method()
			if contains(tried, candidateMethod) {
				continue
			}
			for _, meth := range methods {
				if meth == candidateMethod {
					auth = a
					break findNext
				}
			}
		}

		if auth == nil && err != nil {
			// We have an error and there are no other authentication methods to
			// try, so we return it.
			return err
		}
	}
	return fmt.Errorf("ssh: unable to authenticate, attempted methods %v, no supported methods remain", tried)