ssh: add ErrDenied as a way to indicate auth termination

Maisem Ali · iQQBot · commit 14ed1e5cf67d · 2022-08-05T04:06:32.000Z
Signed-off-by: Maisem Ali &lt;maisem@tailscale.com&gt;
diff --git a/ssh/server.go b/ssh/server.go
@@ -76,6 +76,7 @@ type ServerConfig struct {
 	// attempts to authenticate with auth method "none".
 	// NoClientAuth must also be set to true for this be used, or
 	// this func is unused.
+	// If the function returns ErrDenied, the connection is terminated.
 	NoClientAuthCallback func(ConnMetadata) (*Permissions, error)
 
 	// MaxAuthTries specifies the maximum number of authentication attempts
@@ -86,6 +87,7 @@ type ServerConfig struct {
 
 	// PasswordCallback, if non-nil, is called when a user
 	// attempts to authenticate using a password.
+	// If the function returns ErrDenied, the connection is terminated.
 	PasswordCallback func(conn ConnMetadata, password []byte) (*Permissions, error)
 
 	// PublicKeyCallback, if non-nil, is called when a client
@@ -96,6 +98,7 @@ type ServerConfig struct {
 	// offered is in fact used to authenticate. To record any data
 	// depending on the public key, store it inside a
 	// Permissions.Extensions entry.
+	// If the function returns ErrDenied, the connection is terminated.
 	PublicKeyCallback func(conn ConnMetadata, key PublicKey) (*Permissions, error)
 
 	// KeyboardInteractiveCallback, if non-nil, is called when
@@ -105,6 +108,7 @@ type ServerConfig struct {
 	// Challenge rounds. To avoid information leaks, the client
 	// should be presented a challenge even if the user is
 	// unknown.
+	// If the function returns ErrDenied, the connection is terminated.
 	KeyboardInteractiveCallback func(conn ConnMetadata, client KeyboardInteractiveChallenge) (*Permissions, error)
 
 	// AuthLogCallback, if non-nil, is called to log all authentication
@@ -397,12 +401,19 @@ func (l ServerAuthError) Error() string {
 	return "[" + strings.Join(errs, ", ") + "]"
 }
 
-// ErrNoAuth is the error value returned if no
-// authentication method has been passed yet. This happens as a normal
-// part of the authentication loop, since the client first tries
-// 'none' authentication to discover available methods.
-// It is returned in ServerAuthError.Errors from NewServerConn.
-var ErrNoAuth = errors.New("ssh: no auth passed yet")
+var (
+	// ErrDenied can be returned from an authentication callback to inform the
+	// client that access is denied and that no further attempt will be accepted
+	// on the connection.
+	ErrDenied = errors.New("ssh: access denied")
+
+	// ErrNoAuth is the error value returned if no
+	// authentication method has been passed yet. This happens as a normal
+	// part of the authentication loop, since the client first tries
+	// 'none' authentication to discover available methods.
+	// It is returned in ServerAuthError.Errors from NewServerConn.
+	ErrNoAuth = errors.New("ssh: no auth passed yet")
+)
 
 func (s *connection) serverAuthenticate(config *ServerConfig) (*Permissions, error) {
 	sessionID := s.transport.getSessionID()
@@ -651,6 +662,15 @@ userAuthLoop:
 			break userAuthLoop
 		}
 
+		if errors.Is(authErr, ErrDenied) {
+			var failureMsg userAuthFailureMsg
+			if err := s.transport.writePacket(Marshal(failureMsg)); err != nil {
+				return nil, err
+			}
+
+			return nil, nil
+		}
+
 		authFailures++
 		if config.MaxAuthTries > 0 && authFailures >= config.MaxAuthTries {
 			// If we have hit the max attempts, don't bother sending the
