SSHPortal accepts the first key, then disconnects, even if there are multiple in ssh-agent. #453
Description
Actual Result / Problem
sshportal always accepts the first key provided, without first checking if it is valid for a user.
sshportal always accepts the first key provided, without first checking if the target host is valid for the owner of that key.
I use ssh-agent with multiple keys (production hosts, dev hosts, multiple github accounts, etc)
When I attempt to SSH to sshportal it always accepts the first key unconditionally, making it difficult to ensure it authenticates correctly when I want to connect to a production host, vs development host or even admin console.
A normal SSH server simply rejects keys it is not interested in, and accepts keys that work.
Once sshportal has accepted the connection, it then provides verbose error messages which may give hope to hackers.
By default sshportal supports a useless implementation of password authentication. This must be disabled to deter hackers from even trying.
Expected Result / Suggestion
The ssh public key handling should detect if the key does not provide the user access to what they want (ie admin console, or the selected host), and return "FALSE", allowing the SSH client to try the next key.
Ensure the ssh client is disconnected with a standard authentication error, rather than accepting the connection and returning verbose message which may leak private information.
Some context
Fixed in fork (https://github.com/systemmonkey42/sshportal)
- Reject unknown key, so ssh client tries next key automatically
- Reject KNOWN key, if the requested bastion host is not accessible to that user, so ssh client tries next key.
- Disable PASSWORD authentication COMPLETELY to ensure hackers stop trying sooner (this is a publicly facing service)
- Ensure the remote user gets a standard "permission denied (publickey)" message, instead of custom messages which may leak information.
- Eliminate the magic username "admin" which allowed users to authenticate with any valid key, and get an admin console even if they did not have admin access. You must now use a valid username/publickey combination to get console access (even if you don't have admin)
Note the sshportal banner still indicates that it is a custom ssh server, however removing the git tag makes it more difficult to locate the exact version and exploit vulnerabilities.
...