You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mina.apache.org by lg...@apache.org on 2019/02/13 11:40:33 UTC
[mina-sshd] 01/05: [SSHD-894] Ignore subsequent authentication
requests if one was successful - as per RFC4252 section 5.1
This is an automated email from the ASF dual-hosted git repository.
lgoldstein pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mina-sshd.git
commit e00a5e662275bdf56f07ce0a9adb0f553b0dd3e7
Author: Lyor Goldstein <lg...@apache.org>
AuthorDate: Tue Feb 12 12:18:47 2019 +0200
[SSHD-894] Ignore subsequent authentication requests if one was successful - as per RFC4252 section 5.1
---
.../sshd/server/session/ServerUserAuthService.java | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/sshd-core/src/main/java/org/apache/sshd/server/session/ServerUserAuthService.java b/sshd-core/src/main/java/org/apache/sshd/server/session/ServerUserAuthService.java
index 1e45bbd..c596cf7 100644
--- a/sshd-core/src/main/java/org/apache/sshd/server/session/ServerUserAuthService.java
+++ b/sshd-core/src/main/java/org/apache/sshd/server/session/ServerUserAuthService.java
@@ -154,6 +154,26 @@ public class ServerUserAuthService extends AbstractCloseable implements Service,
ServerSession session = getServerSession();
boolean debugEnabled = log.isDebugEnabled();
if (cmd == SshConstants.SSH_MSG_USERAUTH_REQUEST) {
+ /*
+ * According to RFC4252 section 5.1:
+ *
+ *
+ * When SSH_MSG_USERAUTH_SUCCESS has been sent, any
+ * further authentication requests received after that
+ * SHOULD be silently ignored.
+ */
+ if (session.isAuthenticated()) {
+ String username = buffer.getString();
+ String service = buffer.getString();
+ String method = buffer.getString();
+
+ if (debugEnabled) {
+ log.debug("process({}) ignore user={}, service={}, method={} auth. request since session already authenticated",
+ session, username, service, method);
+ }
+ return;
+ }
+
if (WelcomeBannerPhase.FIRST_REQUEST.equals(getWelcomePhase())) {
sendWelcomeBanner(session);
}