You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@mina.apache.org by lg...@apache.org on 2019/02/13 11:40:33 UTC

[mina-sshd] 01/05: [SSHD-894] Ignore subsequent authentication requests if one was successful - as per RFC4252 section 5.1

This is an automated email from the ASF dual-hosted git repository.

lgoldstein pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mina-sshd.git

commit e00a5e662275bdf56f07ce0a9adb0f553b0dd3e7
Author: Lyor Goldstein <lg...@apache.org>
AuthorDate: Tue Feb 12 12:18:47 2019 +0200

    [SSHD-894] Ignore subsequent authentication requests if one was successful - as per RFC4252 section 5.1
---
 .../sshd/server/session/ServerUserAuthService.java   | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/sshd-core/src/main/java/org/apache/sshd/server/session/ServerUserAuthService.java b/sshd-core/src/main/java/org/apache/sshd/server/session/ServerUserAuthService.java
index 1e45bbd..c596cf7 100644
--- a/sshd-core/src/main/java/org/apache/sshd/server/session/ServerUserAuthService.java
+++ b/sshd-core/src/main/java/org/apache/sshd/server/session/ServerUserAuthService.java
@@ -154,6 +154,26 @@ public class ServerUserAuthService extends AbstractCloseable implements Service,
         ServerSession session = getServerSession();
         boolean debugEnabled = log.isDebugEnabled();
         if (cmd == SshConstants.SSH_MSG_USERAUTH_REQUEST) {
+            /*
+             * According to RFC4252 section 5.1:
+             *
+             *
+             *      When SSH_MSG_USERAUTH_SUCCESS has been sent, any
+             *      further authentication requests received after that
+             *      SHOULD be silently ignored.
+             */
+            if (session.isAuthenticated()) {
+                String username = buffer.getString();
+                String service = buffer.getString();
+                String method = buffer.getString();
+
+                if (debugEnabled) {
+                    log.debug("process({}) ignore user={}, service={}, method={} auth. request since session already authenticated",
+                        session, username, service, method);
+                }
+                return;
+            }
+
             if (WelcomeBannerPhase.FIRST_REQUEST.equals(getWelcomePhase())) {
                 sendWelcomeBanner(session);
             }