diff options
| author | Andrew Lytvynov <awly@tailscale.com> | 2024-01-05 08:02:42 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-01-05 08:02:42 -0800 |
| commit | 29e98e18f84c96e66314a695cf0a0bff778bdabb (patch) | |
| tree | 1fe29acec6e0aeafd7c2b4efb17d8d69bc405d98 /util/execqueue | |
| parent | 124dc10261eaa62cbb52ed3c7c17f48a32a0e69d (diff) | |
| download | tailscale-29e98e18f84c96e66314a695cf0a0bff778bdabb.tar.xz tailscale-29e98e18f84c96e66314a695cf0a0bff778bdabb.zip | |
ssh/tailssh: use a local error instead of gossh.ErrDenied (#10743)
ErrDenied was added in [our fork of
x/crypto/ssh](https://github.com/golang/crypto/commit/acc6f8fe8d618cba34d44e89fdde304f98c576df)
to short-circuit auth attempts once one fails.
In the case of our callbacks, this error is returned when SSH policy
check determines that a connection should not be allowed. Both
`NoClientAuthCallback` and `PublicKeyHandler` check the policy and will
fail anyway. The `fakePasswordHandler` returns true only if
`NoClientAuthCallback` succeeds the policy check, so it checks it
indirectly too.
The difference here is that a client might attempt all 2-3 auth methods
instead of just `none` but will fail to authenticate regardless.
Updates #8593
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Diffstat (limited to 'util/execqueue')
0 files changed, 0 insertions, 0 deletions
