diff options
author | Hans Nilsson <hans@erlang.org> | 2022-06-02 18:52:13 +0200 |
---|---|---|
committer | Hans Nilsson <hans@erlang.org> | 2022-06-08 08:46:45 +0200 |
commit | 8119b8c021c217b325d841b7ea0d8f156f389ce4 (patch) | |
tree | 1ca5cccfd340442a9fe1e72beae1dcec4f9e010d | |
parent | 937c0c57afeddac4154cf334dfb72269d73f6630 (diff) | |
download | erlang-8119b8c021c217b325d841b7ea0d8f156f389ce4.tar.gz |
ssh: Option to skip initial authentication
-rw-r--r-- | lib/ssh/src/ssh_auth.erl | 20 | ||||
-rw-r--r-- | lib/ssh/src/ssh_fsm_userauth_server.erl | 13 | ||||
-rw-r--r-- | lib/ssh/src/ssh_options.erl | 6 |
3 files changed, 30 insertions, 9 deletions
diff --git a/lib/ssh/src/ssh_auth.erl b/lib/ssh/src/ssh_auth.erl index abf9e0d18a..efd1bbbabd 100644 --- a/lib/ssh/src/ssh_auth.erl +++ b/lib/ssh/src/ssh_auth.erl @@ -272,11 +272,21 @@ handle_userauth_request(#ssh_msg_userauth_request{user = User, handle_userauth_request(#ssh_msg_userauth_request{user = User, service = "ssh-connection", method = "none"}, _, - #ssh{userauth_supported_methods = Methods} = Ssh) -> - {not_authorized, {User, undefined}, - {#ssh_msg_userauth_failure{authentications = Methods, - partial_success = false}, Ssh} - }; + #ssh{userauth_supported_methods = Methods, + opts = Opts} = Ssh) -> + case ?GET_OPT(no_auth_needed, Opts) of + false -> + %% The normal case + {not_authorized, {User, undefined}, + {#ssh_msg_userauth_failure{authentications = Methods, + partial_success = false}, Ssh} + }; + true -> + %% RFC 4252 5.2 + {authorized, User, + {#ssh_msg_userauth_success{}, Ssh} + } + end; handle_userauth_request(#ssh_msg_userauth_request{user = User, service = "ssh-connection", diff --git a/lib/ssh/src/ssh_fsm_userauth_server.erl b/lib/ssh/src/ssh_fsm_userauth_server.erl index 77657b4d82..0d12cb43ec 100644 --- a/lib/ssh/src/ssh_fsm_userauth_server.erl +++ b/lib/ssh/src/ssh_fsm_userauth_server.erl @@ -64,10 +64,15 @@ handle_event(internal, case {ServiceName, Ssh0#ssh.service, Method} of {"ssh-connection", "ssh-connection", "none"} -> %% Probably the very first userauth_request but we deny unauthorized login - {not_authorized, _, {Reply,Ssh}} = - ssh_auth:handle_userauth_request(Msg, Ssh0#ssh.session_id, Ssh0), - D = ssh_connection_handler:send_msg(Reply, D0#data{ssh_params = Ssh}), - {keep_state, D}; + %% However, we *may* accept unauthorized login if instructed so + case ssh_auth:handle_userauth_request(Msg, Ssh0#ssh.session_id, Ssh0) of + {not_authorized, _, {Reply,Ssh}} -> + D = ssh_connection_handler:send_msg(Reply, D0#data{ssh_params = Ssh}), + {keep_state, D}; + {authorized, User, {Reply, Ssh1}} -> + D = connected_state(Reply, Ssh1, User, Method, D0), + {next_state, {connected,server}, D, {change_callback_module,ssh_connection_handler}} + end; {"ssh-connection", "ssh-connection", Method} -> %% Userauth request with a method like "password" or so diff --git a/lib/ssh/src/ssh_options.erl b/lib/ssh/src/ssh_options.erl index 2ea1f8c8bb..817bf2e4e2 100644 --- a/lib/ssh/src/ssh_options.erl +++ b/lib/ssh/src/ssh_options.erl @@ -477,6 +477,12 @@ default(server) -> class => user_option }, + no_auth_needed => + #{default => false, + chk => fun(V) -> erlang:is_boolean(V) end, + class => user_option + }, + pk_check_user => #{default => false, chk => fun(V) -> erlang:is_boolean(V) end, |