sftp: Fix authentication failure when pubkey + keyboard-interactive are required

Facundo Almeidarequested to merge
mdzeldemt/kio-extras:work/mdzeldemt/fix-sftp-2fa into master

How to reproduce

  1. Set up an SSH server that requires pubkey authentication followed by a keyboard-interactive authentication method (such as 2FA with Duo or Google Authenticator)
  2. Add host to ~/.ssh/config, setting an alias (say host) and indicating the pubkey to be used
  3. Open Dolphin and go to sftp://host

Expected result

Dolphin asks for a 2FA code

Observed result

The "Authentication failed" message appears on the screen

Definition of done

This is, roughly, what KIO does when trying to authenticate with the server:

  1. It calls ssh_auth_list from libssh to get the available authentication methods. The return value will indicate that SSH_AUTH_METHOD_PUBLICKEY is supported, but not SSH_AUTH_METHOD_INTERACTIVE (because it is not at this point in the authentication process).
  2. Then it attempts to authenticate using a pubkey by calling ssh_userauth_pubkey_auto. If the pubkey is accepted, the result is SSH_AUTH_PARTIAL and not SSH_AUTH_SUCCESS. At this point, SSH_AUTH_METHOD_INTERACTIVE is supported (and required).
  3. Because the set of authentication methods was not queried again, KIO still thinks keyboard-interactive authentication is not supported, and therefore it does not try this authentication method. As a result, the authentication process fails.

This change fixes this issue by re-querying the supported authentication methods if the result from the pubkey authentication attempt is SSH_AUTH_PARTIAL. Notice that this implies making an additional network call.

Notes

  1. These changes only fix two-step authentication for this specific setup (i.e. pubkey then keyboard-interactive). I think a more general fix could be made by repeating the same idea for the other methods (i.e. calling ssh_auth_list again if authentication result is SSH_AUTH_PARTIAL), but to keep this in-scope I chose to make this simple change (also this is my first contribution to KDE).
  2. This a possibly a partial fix for this bug. The bug it refers to is more general (it asks to support 2-step authentication in general), although it mentions keyboard-interactive methods specifically. I have not linked this bug directly to this merge request because I'm not sure that it is applicable, but it could be.
  3. I can provide e.g. a Docker Compose file for quickly setting up an SSH server with this configuration if deemed convenient for the verification of these changes.
Edited by Facundo Almeida

Merge request reports