Danila M created GUACAMOLE-2049:
-----------------------------------
Summary: A user with an expired password cannot log in to an SSH
connection when SFTP is enabled
Key: GUACAMOLE-2049
URL: https://issues.apache.org/jira/browse/GUACAMOLE-2049
Project: Guacamole
Issue Type: Bug
Components: guacd, libguac, SSH
Affects Versions: 1.5.5
Environment: Guacamole 1.5.5
Reporter: Danila M
Attachments: guac-reproduce.sh
Hi!
We have encountered a problem that prevents the user from logging in via SSH
when SFTP is enabled for connection and the user's password has expired. After
entering the credentials, the console hangs without displaying a password reset
request from the host.
This problem is reproduced on CentOS 7, 8, 9 and docker image
hello2parikshit/ssh (used this for local testing).
h1. Expected behavior
Guacamole displays a password change request like this:
{code:java}
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for test.
(current) UNIX password: {code}
Or maybe it should just fail to create SFTP session, show warning message like
"Failed to create SFTP session" on client and allow user to continue login
process.
h1. Actual behavior
Console hangs without providing the ability to change the expired password.
{code:java}
Password: ******* {code}
{{strace}} for {{sshd}} on target host shows messages like this:
{code:java}
1581453 read(15, "WARNING: Your password has expired.\nPassword change required
but no TTY available.\n", 16384) = 83 {code}
h1. How to reproduce
# On target host create user (`useradd test`)
# Set password for user (`passwd test`)
# Expire password for created user (`passwd -e test`)
# Create connection with type `SSH`, set host IP-address and port;
# Enable "Enable SFTP" parameter for created connection
# Try to log with user created at step 1
Also attached script that i used to prepare testing environment.
As far as I could understand, the problem occurs due to the fact that when
creating a separate session for SFTP via {{guac_common_ssh_create_session}}
([src|
https://github.com/apache/guacamole-server/blob/d79f201f2572f5a0b563c7af804575db2055fc77/src/protocols/ssh/ssh.c#L393]),
Guacamole authenticates on the host using {{libssh2_userauth_password}} ([src|
https://github.com/apache/guacamole-server/blob/d79f201f2572f5a0b563c7af804575db2055fc77/src/common-ssh/ssh.c#L363]),
receives a request to change the password, but cannot respond to it because a
session without a PTY is being created for SFTP. After that,
{{guac_common_ssh_create_sftp_filesystem}} ([src|
https://github.com/apache/guacamole-server/blob/d79f201f2572f5a0b563c7af804575db2055fc77/src/protocols/ssh/ssh.c#L402])
is called, where the process hangs on the {{libssh2_sftp_init}} ([src|
https://github.com/apache/guacamole-server/blob/d79f201f2572f5a0b563c7af804575db2055fc77/src/common-ssh/sftp.c#L967])
call.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
