ssh/tailssh: accept passwords and public keys

[oxtoacart]

Some clients don't request 'none' authentication. Instead, they immediately supply
a password or public key. This change allows them to do so, but ignores the supplied
credentials and authenticates using Tailscale instead.

Updates #14922

This applies #14967 to main. It's a substantially different change because main no longer uses the forked golang-x-crypto.

[bradfitz]

delete

[bradfitz]

and below

[bradfitz]

can't they call NoClientAuthCallback and then later password or PublicKeyCallback?

[awly]

when any of the callbacks returns a nil error, ssh.Server will stop the auth loop and shouldn't call any other callbacks: https://github.com/golang/crypto/blob/master/ssh/server.go#L798-L800

[awly]

oh, and if they hit the +password hack, we swap the password callback for this one:

tailscale/ssh/tailssh/tailssh.go

Lines 387 to 395 in dd7ce90

	if strings.HasSuffix(cm.User(), forcePasswordSuffix) {
	return nil, &gossh.PartialSuccessError{
	Next: gossh.ServerAuthCallbacks{
	PasswordCallback: func(_ gossh.ConnMetadata, password []byte) (*gossh.Permissions, error) {
	return &gossh.Permissions{}, nil
	},
	},
	}
	}

[oxtoacart]

So, this turned out to be a bit more complicated.

In cases where authentication succeeds, we'll only hit clientAuth() once. However, in cases where authentication fails, the client may try multiple authentication methods, for example none -> publickey -> password. Since we don't actually care about the content of the auth method, if the first method fails to authenticate, all subsequent ones will too.

What I'm doing with the new logic is tracking whether we've already attempted authentication. If so, we immediately return an error. Note that this is deliberately not a banner error, since we don't want to repeatedly signal the same failure to the client.

[oxtoacart]

See here for the controlling loop. By default, the SSH server will try authentication up to 6 times. Each time, it reads an auth request from the client and then tries to do the authentication. If it succeeds, it breaks out of the loop, and we won't get any subsequent authentication attempts.

[oxtoacart]

This behavior seems to be spec compliant. RFC4252 Section 5 says

While there is usually little point for clients to send requests that
the server does not list as acceptable, sending such requests is not
an error, and the server SHOULD simply reject requests that it does
not recognize.

Also

the client MAY at any time continue with a new
SSH_MSG_USERAUTH_REQUEST message, in which case the server MUST
abandon the previous authentication attempt and continue with the new
one.

[oxtoacart]

This tests a client that does both public key and password auth.

[oxtoacart]

Changed in order to see SSH logs during test.

[bradfitz]

log to the testing.T instead then. stderr logs are super spammy and intermingled and hard to read.

[oxtoacart]

Funnily enough, the old test never checked that the password callback was actually used. This now checks for that.

[oxtoacart]

Paramiko version is now pinned.

[awly]

IIUC, if you simply continue here, the loop will enter again and use the same initial auth value of none.
I think you need it to reach the findNext block below to update the auth method.

[oxtoacart]

Yes thanks, I've changed this quite a bit. I'm now initializing auth based on whether SkipNoneAuth is configured.

[awly]

optional: you can make this into atomic.Uint32 to make sure both passwords were attempted

[oxtoacart]

It turns out that the Go SSH client only attempts the first method of each type anyway, so I took this out.

[bradfitz]

But by even having this defined, doesn't that make us advertise it as a valid thing to try next if "none" fails? So then an SSH client can ask for or pop open a password prompt, thinking it might work since we advertised "password" as a next authentication types after the "none" failed?

[oxtoacart]

Yes, having this here means that we respond to the none auth method with both publickey and password as acceptable methods.

[oxtoacart]

In the interest of minimizing changes, I think we should take this out for now to focus just on achieving parity with 1.80, then we can revisit this question later.

[bradfitz]

Ugh. I miss our NextAuthMethodCallback. :(

[bradfitz]

Oh! We can use PartialSuccessError I think!

[oxtoacart]

That seems to have done the trick!

[bradfitz]

... is an empty PartialSuccessError (with no 'Next' authentication methods that may proceed), which results ...

and "SSH server" (since it's in prose)

... "immediately disconnecting the client without sending the 'Partial' bit on the wire"

[bradfitz]

accidental double space

[bradfitz]

kinda weird that this is "errFoo" but below you have methods that are "fooError"

Also weird that you're returning a concrete error type .... this is the classic mistake that's documented at https://go.dev/doc/faq#nil_error but I guess you're always returning a non-nil error at least, so probably okay.

[oxtoacart]

Yeah, I had made a deliberate choice to return the concrete error type to ensure that no one accidentally changes this to return a different error type, because that would break the invariant that this error should result in authentication terminating. But since I added a check in the defer() in clientAuth(), I don't need this anymore.

[oxtoacart]

Done.

[bradfitz]

delete and unindent this?

[bradfitz]

} else if finalErr != nil {

[bradfitz]

when does one use terminalError vs errDenied?

[oxtoacart]

As the doc comment for errDenied states, errDenied is returned by auth callbacks when a connection is denied by the policy. I'll rename terminalError to errUnexpected and document that it's used when encountering unexpected conditions (like being unable to send an auth banner at all).

[oxtoacart]

Comment on errUnexpected updated.

[bradfitz]

you're setting SkipNoneAuth on half the tests, but how do you control whether it starts with a password vs starts with a public key if you're setting both?

[oxtoacart]

I wasn't worrying about the order because when authentication fails, I expect both callbacks to be tried. Being explicitly would be better though.

[oxtoacart]

Done, the tests now have three passes:

• with none auth
• without none auth starting with publickey
• without none auth starting with password

[oxtoacart]

Drive-by: there was no point to returning errDenied here since we don't even have an SSH connection at this point.

[bradfitz]

error variables are named errFoo (or ErrFoo) in Go, and types are named fooError (or FooError)

So this would be errTerminal or errNoMoreAuthTypes if you want to be more explicit.

[bradfitz]

instead of "final", I think we normally use "retErr" (short for returned error). grep shows that retErr is pretty common

[bradfitz]

btw, remove the ancient // +build integrationtest from the top of this file. It's the only such old one in the tree.

[bradfitz]

Go generally uses word "want" instead of "expect" in tests