x/crypto/ssh: MaxAuthTries error log overwrite PasswordCallback error

[Vr00mm]

Hello everyone,

Go version

go version go1.23.0 linux/amd64

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/remi/.cache/go-build'
GOENV='/home/remi/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/remi/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/remi/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.0'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/home/remi/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/home/remi/Projects/ssh-server/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3120568591=/tmp/go-build -gno-record-gcc-switches'

What did you do?

https://go.dev/play/p/m5It0UH5B88 (its crash cause it cant listen on a port but the code "work" as example)

Iam starting a ssh server using the configuration "MaxAuthTries" set to 1 and "PasswordCallback" set to a custom function.

What did you see happen?

If an error happen during the PasswordCallback, on server side, the PasswordCallback error is overwrited by the MaxAuthTries error:
Server Side:

remi@fimafeng:~/Projects/ssh-server2$ go run main.go
2024/09/01 00:19:43 Starting SSH server on :2222
Starting SSH server on :2222
Failed to handshake: ssh: disconnect, reason 2: too many authentication failures

Client side:

remi@fimafeng:~/Projects/ssh-server2$ ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p 2222 [email protected]
Warning: Permanently added '[127.0.0.1]:2222' (RSA) to the list of known hosts.
[email protected]'s password:
Received disconnect from 127.0.0.1 port 2222:2: too many authentication failures
Disconnected from 127.0.0.1 port 2222

What did you expect to see?

If i comment/remove the MaxAuthTries field from the conf, the error is displayed.
Server side:

remi@fimafeng:~/Projects/ssh-server2$ go run main.go
2024/09/01 00:52:33 Starting SSH server on :2222
Starting SSH server on :2222
Failed to handshake: [ssh: no auth passed yet, authentication request failed: Post "http://localhost:8080/auth": dial tcp 127.0.0.1:8080: connect: connection refused, authentication request failed: Post "http://localhost:8080/auth": dial tcp 127.0.0.1:8080: connect: connection refused]

Client SIde:

remi@fimafeng:~/Projects/ssh-server2$ ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p 2222 [email protected]
Warning: Permanently added '[127.0.0.1]:2222' (RSA) to the list of known hosts.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
[email protected]: Permission denied (password).

I would like, on server side, when the "MaxAuthTries" and "PasswordCallback" are set to show error from both.
(like for sshd) (here password incorrect and maxauthtries [preauth])
Server SIde:

Sep  1 00:09:56 fimafeng sshd[28465]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1  user=testuser
Sep  1 00:09:59 fimafeng sshd[28465]: Failed password for testuser from 127.0.0.1 port 58792 ssh2
Sep  1 00:10:01 fimafeng sshd[28465]: error: maximum authentication attempts exceeded for testuser from 127.0.0.1 port 58792 ssh2 [preauth]
Sep  1 00:10:01 fimafeng sshd[28465]: Disconnecting authenticating user testuser 127.0.0.1 port 58792: Too many authentication failures [preauth]

Client SIde:

remi@fimafeng:~/Projects/ssh-server2$ ssh -o PubkeyAuthentication=no -o PreferredAuthentications=password [email protected]
[email protected]'s password:
Received disconnect from 127.0.0.1 port 22:2: Too many authentication failures
Disconnected from 127.0.0.1 port 22

Is there a way to show logs for both when "MaxAuthTries" and "PasswordCallback" are set without breaking the design process of handshake ?
Is there a way to show logs in a live mode ? When MaxAuthTries is not set, the log appear on server side only when all attemps are done and not client try per try ?
When "MaxAuthTries" is not set and the error appear, i have an "no auth passed yet", what is this message ? Can i avoid it ?

Thanks for your time reading this issue.
Best Regards!

[gabyhelp]

Related Issues and Documentation

• x/crypto/ssh: client auth loop calls PasswordCallback after receiving disconnect msg from server #66991 (closed)
• x/crypto/ssh: wrapping ssh.KeyboardInteractive() into ssh.RetryableAuthMethod() fails to handle early auth errors with Windows OpenSSH server #67855
• x/crypto/ssh: Client Auth: handle partial success correctly when processing userAuthFailure responses #23461 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[seankhliao]

Please don't use screenshots, they're impossible to read.

[Vr00mm]

Hello @seankhliao and thanks for your reply.

I appologize for screenshots, when it asked me what i see, i taken screenshot x)

I replaced screenshots with code block to improve visibility.

[dmitshur]

CC @drakkan.

[drakkan]

@Vr00mm please try this CL.

With the above patch you should get the following error server side:

2024/09/07 17:34:05 Failed to establish SSH connection: [ssh: no auth passed yet, authentication request failed: Post "https://localhost:8080/auth": dial tcp [::1]:8080: connect: connection refused, ssh: disconnect, reason 2: too many authentication failures]

[gopherbot]

Change https://go.dev/cl/566398 mentions this issue: ssh: return ServerAuthError after too many auth failures