[jira] [Commented] (SSHD-762) Keyboard Interactive Authentication only supports one-time interaction

Goldstein Lyor (JIRA) Mon, 14 Aug 2017 04:50:41 -0700

    [ 
https://issues.apache.org/jira/browse/SSHD-762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16125570#comment-16125570
 ]


Goldstein Lyor commented on SSHD-762:
-------------------------------------

I believe you are not using {{keyboard-interactive}} authentication the way you 
should - specifically, at the server
{code:java}
@Override
public boolean authenticate(ServerSession session, String username, 
List<String> responses) throws Exception {
    // How to verify that the old password is correct, and then prompt to enter 
new password or to reject login??
   according to RFC4256 the order of the responses is the same (!) as the order 
of challenges, so since your
   code controls both of them, you know which is which...
}
{code}
If you want, you can attach the information at the session level:
{code:java}
@Override
    public InteractiveChallenge generateChallenge(ServerSession session, String 
username, String lang,
        String subMethods) {
        InteractiveChallenge ic = new InteractiveChallenge();
        ic.setInteractionName("interactionName1");
        ic.setInteractionInstruction("interactionInstruction1");
        ic.setLanguageTag("en-US");
        ic.addPrompt("Old Password: ", false);
        ic.addPrompt("New Password: ", false);
        ic.addPrompt("Re-enter Password", false);
        session.setAttribute(...MySpecialAttribute..., ...the order of 
challenges...)
        return ic;
    }

    @Override
    public boolean authenticate(ServerSession session, String username, 
List<String> responses) throws Exception {
        // How to verify that the old password is correct, and then prompt to 
enter new password or to reject login??

       ...order of challenges... = 
session.getAttribute(...MySpecialAttribute...);
      process responses...
    }
{code}

> Keyboard Interactive Authentication only supports one-time interaction
> ----------------------------------------------------------------------
>
>                 Key: SSHD-762
>                 URL: https://issues.apache.org/jira/browse/SSHD-762
>             Project: MINA SSHD
>          Issue Type: Improvement
>    Affects Versions: 1.6.0
>            Reporter: Li Fangning
>            Assignee: Goldstein Lyor
>            Priority: Minor
>             Fix For: 1.7.0
>
>
> The _org.apache.sshd.server.auth.keyboard.KeyboardInteractiveAuthenticator_ 
> interface only support one-time interaction with the client.
> Therefore, some features can not be achieved, such as the scenario of the 
> expiration of user's password.
> See the second authentication example of [RFC 
> 4256|https://www.ietf.org/rfc/rfc4256.txt].
> Regards



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (SSHD-762) Keyboard Interactive Authentication only supports one-time interaction

Reply via email to