Closed Kurtas closed 2 years ago
I don't understand the problem. Why not just duplicate what PuTTY is doing with regard to authentication method order, since that seems to be working for you?
The problem is that I don't know in advance where I'm connecting to. If it is PaloAlto or Cisco or any other specific vendor. So I need to have one setting for all connections.
If I set keyboard-interactive
in authHandler
for PaloAlto then it breaks the connection to Cisco IOS-XR, HP Comware.
Maybe you can somehow change the default order for authHandler
, detect that there will be needed interactivity then set keyboard-interactive
before password
?
I don't have any idea how putty handle/detect this but there you have to set a username
after that confirm statement Do you accept and acknowledge the statement above ? (yes/no) :
and then you have to provide password
.
But ssh2
library in default doing "full authentication" it means sends username
and password
, but it fails because the statement wasn't confirmed. The statement is received after that but it is too late.
[2021-10-02T19:14:51.945Z] Inbound: Received USERAUTH_BANNER
[2021-10-02T19:14:51.946Z] Inbound: Received USERAUTH_FAILURE (publickey,password,keyboard-interactive)
[2021-10-02T19:14:51.946Z] Client: none auth failed
[2021-10-02T19:14:51.947Z] Outbound: Sending USERAUTH_REQUEST (password)
[2021-10-02T19:14:51.982Z] Inbound: Received USERAUTH_FAILURE (publickey,password,keyboard-interactive)
### Password authentication before statement confirmation ####
[2021-10-02T19:14:51.983Z] Client: password auth failed
[2021-10-02T19:14:51.983Z] Outbound: Sending USERAUTH_REQUEST (keyboard-interactive)
[2021-10-02T19:14:52.007Z] Inbound: Received USERAUTH_INFO_REQUEST
##### Received keyboardInteractiveCallback ##########
Do you accept and acknowledge the statement above ? (yes/no) :
Seding yes
[2021-10-02T19:14:52.013Z] Outbound: Sending USERAUTH_INFO_RESPONSE
[2021-10-02T19:14:52.025Z] Inbound: Received USERAUTH_INFO_REQUEST
##### Received keyboardInteractiveCallback ##########
Password:
[2021-10-02T19:14:52.025Z] Outbound: Sending USERAUTH_INFO_RESPONSE
[2021-10-02T19:14:52.064Z] Inbound: Received USERAUTH_INFO_REQUEST
[2021-10-02T19:14:52.064Z] Client: Sending automatic USERAUTH_INFO_RESPONSE
[2021-10-02T19:14:52.064Z] Outbound: Sending USERAUTH_INFO_RESPONSE
[2021-10-02T19:14:52.072Z] Inbound: Received USERAUTH_SUCCESS
[2021-10-02T19:14:52.074Z] Outbound: Sending CHANNEL_OPEN (r:0, session)
[2021-10-02T19:14:52.075Z] Socket ended
[2021-10-02T19:14:52.077Z] Socket closed
I hope that it is clear now, but I'm not sure if you can do something with that.
There isn't anything here that can be solved by ssh2
. I suggest using a function for authHandler
if you want to handle authentication dynamically. Perhaps you might listen for the 'banner'
event and look for familiar keywords do detect which kind of system you're on if you want to go that route. Otherwise you will just need to get more information in one way or another about the destination server in order to properly authenticate the way it expects.
Hi @mscdex
we have the multi-vendor environment and we have several PaloAltos there and those devices have configured some statement that has to be confirmed before authentication, see attached screenshot from putty.
We're not able to log in only with
username
/password
, even we're listening tokeyboard-interactive
event and sending replies to prompts.here is a debug log
Then I noticed
authHandler
new options in version v1, I tried to use it in this wayWhere the
keyboardInteractiveCallback
is the same function what listening onkeyboard-interactive
event and it worksDebug for that:
But if we start to use
authHandler
where we preferkeyboard-interactive
then we're facing to a problem that we can't log in into some other vendors like Cisco IOS-XR or HP Comware. As you can see from the attached putty screenshot XR has some banner afterusername
and it's stuck inkeyboard-interactive
callback, on the end it's disconnected on timetout. Thekeyboard-interactive
callback never get any data.HP Comware doesn't have any banner and it's immediately disconnect because of
password auth failed
but it also never get any data tokeyboard-interactive
callbackI also attached debugs from XR and Comware, both has log where
authHandler
was enabled and next is withoutauthHandler
HpComwareWithAuthHandlerDisabled.txt IosXrWithAuthHandlerDisabled.txt IosXrWithAuthHandlerEnabled.txt HpComwareWithAuthHandlerEnabled.txt