Commit a6b9fbc
committed
fix(ssh): wrap agent signers to continue to next identity on signing failure
When an SSH agent signer fails to sign (e.g. user cancels a FIDO2/security-key
user-presence prompt), golang.org/x/crypto/ssh treats the error as fatal and
aborts the entire publickey authentication, preventing remaining identities
from being tried. This deviates from OpenSSH behavior where a declined
signature simply moves on to the next key.
This change wraps agent-backed signers in a failoverSigner that returns a
deliberately invalid signature on signing failure instead of propagating the
error. The server rejects the invalid signature as a normal auth failure,
allowing RetryableAuthMethod to continue with the next identity.
Also adds conndebug logging for:
- Agent socket dial failures
- Agent key listing errors
- Number of identities provided by the agent
- Each agent identity being attempted
- Per-key signing failures
Fixes #33651 parent c99022c commit a6b9fbc
2 files changed
Lines changed: 63 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
310 | 310 | | |
311 | 311 | | |
312 | 312 | | |
| 313 | + | |
| 314 | + | |
313 | 315 | | |
314 | 316 | | |
315 | 317 | | |
| |||
772 | 774 | | |
773 | 775 | | |
774 | 776 | | |
| 777 | + | |
775 | 778 | | |
776 | 779 | | |
777 | 780 | | |
778 | | - | |
| 781 | + | |
| 782 | + | |
| 783 | + | |
| 784 | + | |
| 785 | + | |
| 786 | + | |
| 787 | + | |
| 788 | + | |
| 789 | + | |
779 | 790 | | |
780 | 791 | | |
781 | 792 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
0 commit comments