[Twisted-Python] Sending feedback on SSH authentication failures

Tom van Neerijnen twisted at tomvn.com
Thu Feb 6 17:24:00 MST 2014


SSH (and by association conch) sends feedback to users but unless you ssh
-v you won't see much of it. Sending text feedback without using the
standard auth methods might require you to move your two factor auth into
your protocol but this doesn't feel like a good idea to me. I'm relatively
new to conch and my use case is quite different to yours so if I'm wrong
and there is a way to do this I hope someone else jumps in to correct me.

I did a quick test with
http://twistedmatrix.com/documents/current/api/twisted.conch.checkers.SSHProtocolChecker.htmlas
my portals checker and that lets me require both password (something
you
know) and key (something you have).
My test doesn't handle "ticking" already used auth methods off the list of
authentications that can continue but I don't think it would be too hard to
get that working.
I see the following in my ssh client connection when connecting to my
server. As I said I don't tick off used methods which is why you see
"Authentications that can continue: password,publickey" instead of just
password.

$ ssh -v -p 5022 user at localhost
OpenSSH_6.2p2 Ubuntu-6ubuntu0.1, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /home/tom/.ssh/config
....
debug1: Remote protocol version 2.0, remote software version Twisted
....
debug1: Authentications that can continue: password,publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/tom/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
Authenticated with partial success.
debug1: Authentications that can continue: password,publickey
....
debug1: Next authentication method: password
user at localhost's password:
debug1: Authentication succeeded (password).
Authenticated to localhost ([127.0.0.1]:5022).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_GB.UTF-8

Hope that helps.


On Wed, Feb 5, 2014 at 12:03 AM, David Timothy Strauss <
david at davidstrauss.net> wrote:

> Is there a straightforward way to send text feedback to users when
> their authentication fails? At Pantheon, we use a custom
> implementation of IRealm. I'm hoping there's a way to send or return
> the output from there.
>
> We particularly need this because users will have various two-factor
> authentication modes configured, and a simple pass/fail for
> authentication will leave many scratching their heads.
>
> I don't see any examples of such output on the relevant documentation page
> [1].
>
> [1] https://twistedmatrix.com/documents/current/core/howto/cred.html
>
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://twistedmatrix.com/pipermail/twisted-python/attachments/20140207/82f160f4/attachment.html>


More information about the Twisted-Python mailing list