1 (edited by tjko 2025-06-30 13:23:05)

Topic: wolfSSH Authentication Callback behavior

When experimenting with wolfSSH on RP2040 MCU, I noticed couple things.

It seems "UserAuthResult" callback (set using wolfSSH_SetUserAuthResult()) doesn't always get called. It gets called when client is authenticating using "publickey" authentication, but seems like it does not get called at all when "password" authentication is used by client.  This seems like a bug? (Or is there another way to easily track successful/failed logins?)

Looking src/internal.c, it seems callback is only called from DoUserAuthRequestPublicKey() function, so that seems to explain why it does not get called at all, if other type authentication is being used....


Another "odd" thing I noticed is with the "UserAuth" callback (set using wolfSSH_SetUserAuth()). I see it getting called twice when public key authentication succeeds...

Example (debug logs from server side):

user_auth_cb(8,20041918,20024E10): 2
user_auth_cb(2,20041AA0,20024E10): 6
user_auth_cb(2,20041870,20024E10): 0
user_auth_cb(2,20041AB8,20024E10): 0
user_auth_result_cb(0,20041AB8,20024E10): OK

Client log (OpenSSH):

debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/test/.ssh/id_rsa
debug1: Offering public key: /home/test/.ssh/id_ecdsa ECDSA SHA256:lHQBcPRpky2hfMiffYnoVfCww9XL/XC0JZ8CGaPLYCM
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/test/.ssh/id_ecdsa_sk
debug1: Offering public key: /home/test/.ssh/id_ed25519 ED25519 SHA256:NZHx/BI7BCGUS2WVIG+qdrwd/YaH8xk8GgN19L/QJdg
debug1: Server accepts key: /home/test/.ssh/id_ed25519 ED25519 SHA256:NZHx/BI7BCGUS2WVIG+qdrwd/YaH8xk8GgN19L/QJdg
Authenticated to 192.168.4.17 ([192.168.4.17]:22) using "publickey".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: Sending environment.
debug1: channel 0: setting env LANG = "en_US.UTF-8"
debug1: channel 0: setting env LC_ALL = "en_US.UTF-8"

However, when client uses password authentication there is no "second" call to callback function after successful authentication...

Server side:

user_auth_cb(8,20041870,20024E10): 2
user_auth_cb(2,20041AA8,20024E10): 6
user_auth_cb(2,20041858,20024E10): 6
user_auth_cb(1,20041AC0,20024E10): 0

(notice, the "UserAuthResult" callback did not get called at all...)

Client side:

debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/test/.ssh/id_rsa
debug1: Offering public key: /home/test/.ssh/id_ecdsa ECDSA SHA256:lHQBcPRpky2hfMiffYnoVfCww9XL/XC0JZ8CGaPLYCM
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/test/.ssh/id_ecdsa_sk
debug1: Offering public key: /home/test/.ssh/id_ed25519 ED25519 SHA256:NZHx/BI7BCGUS2WVIG+qdrwd/YaH8xk8GgN19L/QJdg
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/test/.ssh/id_ed25519_sk
debug1: Trying private key: /home/test/.ssh/id_xmss
debug1: Trying private key: /home/test/.ssh/id_dsa
debug1: Next authentication method: password
admin@192.168.4.17's password: 
Authenticated to 192.168.4.17 ([192.168.4.17]:22) using "password".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: Sending environment.
debug1: channel 0: setting env LANG = "en_US.UTF-8"
debug1: channel 0: setting env LC_ALL = "en_US.UTF-8"

Share

Re: wolfSSH Authentication Callback behavior

Hi tjko,

Great question.  We currently have only implemented userAuthResultCb for the public key case.  So what you're seeing is expected behavior in the current version of wolfSSH.
Is calling this function in the password case a requirement for your use case?

Are you able to share any information about your project?  Are you working on a personal or commercial project?  If this information is sensitive, feel free to email us at support [AT] wolfssl [DOT] com.

Thanks,
Kareem

Share

Re: wolfSSH Authentication Callback behavior

I would think userAuthResultCb would be much more useful if it would always get called at the end of client authentication process. That would make it much more easier to track if client succeeded in authentication or not...

I added "SSH server" that uses wolfSSH in my personal (OSWH) project: https://github.com/tjko/fanpico
It seems to work surprisingly well on RP2040 (Pico W), when using ECC based authentication...

Share