How to check if the password is wrong or sshd server is not ready

Question

How to check if the password is wrong or sshd server is not ready

1534854467 opened this issue a year ago · 11 comments

1534854467 commented a year ago

got "Permission denied(password)" when I use the wrong password or the sshd does not start.

how to check if the password is wrong or sshd server is not ready?

Answer 1 · 2023-07-27T10:28:59.000Z

you can check sshpiperd logs for the reason of failed attempts

Answer 2 · 2023-07-27T11:34:42.000Z

you can check sshpiperd logs for the reason of failed attempts

has any way check by the ssh return information?

eg: SSH connect refused/ SSH server not ready

Answer 3 · 2023-07-27T14:58:48.000Z

for example, you will see dial tcp 127.0.0.1:23: connect: connection refused if remote is not available

ERRO[0019] cannot create upstream for 127.0.0.1:58014 (username [root]) with password auth: dial tcp 127.0.0.1:23: connect: connection refused

Answer 4 · 2023-07-27T16:22:35.000Z

yes, i see this error message in the sshpiperd server when upstream connection refused

but ssh client still show "Permission denied (password)"

if i was a user, i don't know if my sshd server is running by terminal print

Answer 5 · 2023-07-27T21:06:13.000Z

sshpiper will not know the upstream endpoint until the downstream (user) entered password.
and the upstream may be different if the password not the same.

also, there is no way to send an error/msg to downstream side during ssh password auth.

Answer 6 · 2023-07-28T10:54:58.000Z

tg123/sshpiper.crypto#2

@tg123
please review this pr, i am try add some error message when network error

Answer 7 · 2023-07-29T05:32:33.000Z

basically, should not touch any file in original crypto. all change should be limited to sshpiper.go
you should add hook in your case.
UpstreamAuthFailureCallback

but now there is now way to write back to client side

Answer 8 · 2023-07-30T06:22:01.000Z

tg123/sshpiper.crypto#3

@tg123
I have a new pr, please review it again

Answer 9 · 2023-07-30T11:53:06.000Z

IHMO, this introduces some security concern that downstream can detected if user is valid or not

however, i am happy if it can be customized via plugin

some changes in crypto in my mind

in authUpstream add a new DisconnectErr handler
if DisconnectErr { send DisconnectErr msg }

the DisconnectErr is returned by NextAuthMethods after UpstreamAuthFailureCallback noticed some special err
everything should be done in plugin

you can check failtoban to see if it is good enough for your case after new API added

Answer 10 · 2023-08-10T09:05:52.000Z

thx for your reply! that's good if has a handle DisconnectErrHandler , and i am trying;

and another way,
i am try add healthcheck in NewConnectionCallback for kubernetes plugin, do net.Dial("tcp", upstream_addr) in NewConnectionCallback

but i can not got ssh user, because just got net.Conn in libplugin.ConnMetadata,
so i can not do upstream healthcheck in NewConnectionCallback

@tg123
Do you have any suggestions? thx

Answer 11 · 2023-08-10T09:20:53.000Z

user name is only available after first handshake, you can do health check in PasswordCallback for exmaple, return err to disconnect