Bazaar

  1. Bug #375867
  2. Comment #6

Comment 6 for bug 375867

Revision history for this message
John A Meinel (jameinel) wrote :

So I traced down into paramiko, and the only place I see the list of allowed authentication types being set is part of:
    def _parse_userauth_failure(self, m):
        authlist = m.get_list()
        partial = m.get_boolean()
        if partial:
            self.transport._log(INFO, 'Authentication continues...')
            self.transport._log(DEBUG, 'Methods: ' + str(authlist))
            self.transport.saved_exception = PartialAuthentication(authlist)
        elif self.auth_method not in authlist:
            self.transport._log(INFO, 'Authentication type (%s) not permitted.' % self.auth_method)
            self.transport._log(DEBUG, 'Allowed methods: ' + str(authlist))
            self.transport.saved_exception = BadAuthenticationType('Bad authentication type', authlist)
        else:
            self.transport._log(INFO, 'Authentication (%s) failed.' % self.auth_method)

Now it would seem that transport.auth_publickey() can raise BadAuthenticationType, which would give us this info. The problem being that it would only do so if 'publickey' was not an allowed type to start with.

Put another way... we only find out that 'password' authentication is not allowed once an authentication attempt has been made and it fails because that method is not allowed.

Now I'm guessing that ssh protocol itself has a way to request the supported authentication methods up front, given that 'ssh -v bazaar.launchpad.net' says:
debug1: Connecting to bazaar.launchpad.net [91.189.90.11] port 22.
debug1: Connection established.
debug1: identity file /home/jameinel/.ssh/identity type -1
...
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey

However, looking at paramiko the only thing it seems to support (as a server) is MSG_SERVICE_REQUEST 'ssh-userauth' which returns MSG_SERVICE_ACCEPT 'ssh-userauth'.

Anyway, I don't know the ssh protocol well enough, but I don't see a way in *paramiko* to explicitly query the remote server for a list of allowed authentication protocols. So for now, we only find out after it fails that it really doesn't support that...