You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CHANGELOG.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,6 +13,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
13
13
14
14
### Fixed
15
15
16
+
- SSH auth-failure alerts now point at the actual cause. The catch-all "Check your credentials or private key." string was wrong for the most common 2FA case (typing a wrong TOTP code), because the credentials were fine; only the verification code was wrong. `SSHTunnelError.authenticationFailed` now carries an `AuthFailureReason` (`password`, `verificationCode`, `privateKey`, `agentRejected`, `generic`), every throw site picks the right one, and the alert text matches: "Verification code rejected. Get a new code from your authenticator app and try again." for kbd-int + TOTP rejections, "SSH password rejected. Check the password and try again." for plain password rejections, and so on. Follow-up to #1005.
17
+
- TOTP codes are now fetched lazily from the `TOTPProvider` inside the kbd-int callback rather than once upfront before authentication starts. Fixes two related issues: (1) when the kbd-int handshake straddled a 30-second TOTP rotation boundary, the `AutoTOTPProvider` code that was valid at fetch time had expired by the time PAM validated it; (2) when the server retried after a wrong code (sshd defaults to 3 prompts per session), TablePro replayed the same wrong code instead of asking the user for a new one. `PromptTOTPProvider` now switches its NSAlert wording to "Verification Code Rejected. The previous code wasn't accepted. Wait for your authenticator to refresh, then enter the new code." on retries, matching how OpenSSH re-prompts.
16
18
- SSH Auth Method = Password failed against servers that only advertise `keyboard-interactive` (the typical `pam_google_authenticator` setup, where `sshd_config` has `AuthenticationMethods keyboard-interactive`). The bare `userauth_password` request the server doesn't accept was the only attempt, so connection failed even when the user typed the right password. `buildAuthenticator` now always pairs `PasswordAuthenticator` with a `KeyboardInteractiveAuthenticator` that reuses the same password, matching OpenSSH and Sequel Ace's "save the password, the server may also prompt for a code" flow. Follow-up to #1005.
17
19
- SSH connections to servers requiring Google Authenticator (or any PAM stack that pairs `Password:` with `Verification code:` over keyboard-interactive) failed when the user picked Auth Method = Password with TOTP enabled. `LibSSH2TunnelFactory.buildAuthenticator` built a `CompositeAuthenticator(PasswordAuthenticator → KeyboardInteractiveAuthenticator)` but passed `password: nil` to the kbd-interactive fallback, so when the server replayed the password challenge the callback answered with an empty string. The fallback now reuses the same SSH password, mirroring the `.keyboardInteractive` path. Fixes #1005.
18
20
- Up arrow on the first line of the SQL editor failed to jump to the start of the document when the caret was at the very end of a single-line query (or anywhere outside the half-open `lineStorage.first.range`). Same shape on the symmetric Down-on-last-line path. The first/last-line detection used `NSRange.contains`, which is half-open and excludes the trailing offset, so the caret-at-end-of-document fell through to a geometry probe that found no line above and bailed. Now the check uses `textLineForOffset`, which already handles `offset == length` by returning the last line, and compares line IDs.
0 commit comments