Merge pull request ClickHouse#78586 from ClickHouse/ssh-pass

Support password auth type in SSH protocol

Author: alexey-milovidov

src/Server/SSH/SSHPtyHandler.cpp

@@ -345,7 +345,8 @@ class SessionCallback
     {
         server_cb.userdata = this;
         server_cb.auth_pubkey_function = authPublickeyAdapter<ssh_session, const char *, ssh_key, char>;
-        ssh_set_auth_methods(session.getInternalPtr(), SSH_AUTH_METHOD_PUBLICKEY);
+        server_cb.auth_password_function = authPasswordAdapter<ssh_session, const char *, const char *>;
+        ssh_set_auth_methods(session.getInternalPtr(), SSH_AUTH_METHOD_PASSWORD | SSH_AUTH_METHOD_PUBLICKEY);
         server_cb.channel_open_request_session_function = channelOpenAdapter<ssh_session>;
 
         ssh_callbacks_init(&server_cb)
@@ -395,11 +396,11 @@ class SessionCallback
             {
                 auto user_has_ssh_auth_type = [](auto user_authentication_type) { return user_authentication_type == AuthenticationType::SSH_KEY; };
                 auto user_auth_types = db_session_created->getAuthenticationTypes(user_name);
+
+                /// User {} doesn't have SSH_KEY authentication type, so we will try to authenticate it using a password.
                 if (auto result = std::ranges::find_if(user_auth_types, user_has_ssh_auth_type); result == user_auth_types.end())
-                {
-                    LOG_WARNING(log, "User {} doesn't have SSH_KEY authentication type", user_name);
-                    return SSH_AUTH_DENIED;
-                }
+                    return SSH_AUTH_PARTIAL;
+
                 return SSH_AUTH_SUCCESS;
             }
 
@@ -431,6 +432,27 @@ class SessionCallback
 
     GENERATE_ADAPTER_FUNCTION(SessionCallback, authPublickey, int)
 
+    int authPassword(ssh_session, const char * user, const char * password)
+    {
+        try
+        {
+            LOG_TRACE(log, "Authenticating with password");
+            auto db_session_created = std::make_unique<Session>(server_context, ClientInfo::Interface::LOCAL);
+            db_session_created->authenticate(BasicCredentials{user, password}, peer_address);
+            authenticated = true;
+            db_session = std::move(db_session_created);
+            return SSH_AUTH_SUCCESS;
+        }
+        catch (...)
+        {
+            tryLogCurrentException(log);
+            ++auth_attempts;
+            return SSH_AUTH_DENIED;
+        }
+    }
+
+    GENERATE_ADAPTER_FUNCTION(SessionCallback, authPassword, int)
+
     ssh_server_callbacks_struct server_cb = {};
 };
 

tests/integration/test_ssh/test.py

@@ -138,3 +138,23 @@ def test_simple_query_with_paramiko(started_cluster):
     # Secsh channel 1 open FAILED: : Administratively prohibited
 
     client.close()
+
+def test_paramiko_password(started_cluster):
+    instance.query("CREATE USER OR REPLACE mister IDENTIFIED BY 'P@$$WORD';")
+
+    pkey = paramiko.Ed25519Key.from_private_key_file(f"{SCRIPT_DIR}/keys/lucy_ed25519")
+    client = paramiko.SSHClient()
+    policy = paramiko.AutoAddPolicy()
+    client.set_missing_host_key_policy(policy)
+    client.connect(hostname=instance.ip_address, port=9022, username="mister", password='P@$$WORD')
+
+    stdin, stdout, stderr = client.exec_command("SELECT 1;")
+    stdin.close()
+    result = stdout.read().decode()
+    expected = instance.query("SELECT 1;")
+    assert result.replace("\n\x00", "\n") == expected
+
+    # FIXME: If I'm trying to execute more queries with the same client I get the error:
+    # Secsh channel 1 open FAILED: : Administratively prohibited
+
+    client.close()