File: upstream_34a759c0_Re-query-available-auth-methods-if-result-for-pubkey-auth-was-PARTIAL.patch

package info (click to toggle)
kio-extras 4%3A25.04.3-1
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 31,936 kB
  • sloc: cpp: 28,907; ansic: 3,084; perl: 1,048; xml: 116; sh: 92; python: 28; makefile: 9
file content (49 lines) | stat: -rw-r--r-- 2,104 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
 
From 34a759c05f8f6fa21226bab4967ea30f391dba1a Mon Sep 17 00:00:00 2001
From: Facundo Almeida <facundoalmeida@gmail.com>
Date: Sun, 18 May 2025 21:08:13 -0300
Subject: [PATCH] Re-query available auth methods if result for pubkey auth was
 PARTIAL

Suppose the server uses pubkey authentication followed by a
keyboard-interactive authentication method (such as 2FA with Duo or
Google Authenticator). This is, roughly, what KIO does when trying to
authenticate with the server:

1. It calls `ssh_auth_list` from libssh to get the available
authentication methods. The return value will indicate that
`SSH_AUTH_METHOD_PUBLICKEY` is supported, but not
`SSH_AUTH_METHOD_INTERACTIVE` (because it is not *at this point in the
authentication process*).
2. Then it attempts to authenticate using a pubkey by calling
`ssh_userauth_pubkey_auto`. If the pubkey is accepted, the result is
`SSH_AUTH_PARTIAL` and not `SSH_AUTH_SUCCESS`. At this point,
`SSH_AUTH_METHOD_INTERACTIVE` *is* supported (and required).
3. Because the set of authentication methods was not queried again, KIO
still thinks keyboard-interactive authentication is not supported, and
therefore it does not try this authentication method. As a result, the
authentication process fails.

This commit fixes this issue by re-querying supported authentication
methods if the result from the pubkey authentication attempt is
`SSH_AUTH_PARTIAL`.
---
 sftp/kio_sftp.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sftp/kio_sftp.cpp b/sftp/kio_sftp.cpp
index 57aca1862..b5882989d 100644
--- a/sftp/kio_sftp.cpp
+++ b/sftp/kio_sftp.cpp
@@ -888,6 +888,9 @@ Result SFTPWorker::openConnectionWithoutCloseOnError()
                 clearPubKeyAuthInfo();
                 return Result::fail(KIO::ERR_CANNOT_LOGIN, i18n("Authentication failed."));
             }
+            if (rc == SSH_AUTH_PARTIAL) {
+                method = ssh_auth_list(mSession);
+            }
             if (rc != SSH_AUTH_DENIED || !mPublicKeyAuthInfo || !mPublicKeyAuthInfo->isModified()) {
                 clearPubKeyAuthInfo();
                 break;
-- 
GitLab