[Libguestfs] [PATCH nbdkit] ssh: Improve the error message when all authentication methods fail

Thu Jan 5 11:34:38 UTC 2023

The current error message:

  nbdkit: ssh[1]: error: all possible authentication methods failed

is confusing and non-actionable.  It's hard even for experts to
understand the relationship between the authentication methods offered
by a server and what we require.

Try to improve the error message in some common situations, especially
where password authentication on the server side is disabled but the
client supplied a password=... parameter.  After this change, you will
see an actionable error:

  nbdkit: ssh[1]: error: the server does not offer password
  authentication, but you tried to use a password; if you have root
  access to the server, try editing 'sshd_config' and setting
  'PasswordAuthentication yes'; otherwise try using an SSH agent with
  a passphrase

Also remove an incidental comment left over when I copied the libssh
example code.

See-also: https://bugzilla.redhat.com/show_bug.cgi?id=2158300
---
 plugins/ssh/ssh.c | 35 ++++++++++++++++++++++++++++-------
 1 file changed, 28 insertions(+), 7 deletions(-)

diff --git a/plugins/ssh/ssh.c b/plugins/ssh/ssh.c
index 6cf40c26f..23c0b46f9 100644
--- a/plugins/ssh/ssh.c
+++ b/plugins/ssh/ssh.c
@@ -355,14 +355,35 @@ authenticate (struct ssh_handle *h)
     rc = authenticate_pubkey (h->session);
     if (rc == SSH_AUTH_SUCCESS) return 0;
   }
+  else if (password == NULL) {
+    /* Because the password method below requires a password, we know
+     * that it will fail, so print an actionable error message and
+     * bail now.
+     */
+    nbdkit_error ("the server does not offer SSH agent authentication; "
+                  "try using a password=... parameter, see the "
+                  "nbdkit-ssh-plugin(1) manual page");
+    return -1;
+  }
 
-  /* Example code tries keyboard-interactive here, but we cannot use
-   * that method from a server.
-   */
-
-  if (password != NULL && (method & SSH_AUTH_METHOD_PASSWORD)) {
-    rc = authenticate_password (h->session, password);
-    if (rc == SSH_AUTH_SUCCESS) return 0;
+  if (password != NULL) {
+    if (method & SSH_AUTH_METHOD_PASSWORD) {
+      rc = authenticate_password (h->session, password);
+      if (rc == SSH_AUTH_SUCCESS) return 0;
+      else {
+        nbdkit_error ("password authentication failed, "
+                      "is the username and password correct?");
+        return -1;
+      }
+    }
+    else {
+      nbdkit_error ("the server does not offer password authentication, "
+                    "but you tried to use a password; if you have root access "
+                    "to the server, try editing 'sshd_config' and setting "
+                    "'PasswordAuthentication yes'; otherwise try using "
+                    "an SSH agent with a passphrase");
+      return -1;
+    }
   }
 
   nbdkit_error ("all possible authentication methods failed");
-- 
2.37.3

