Skip to content

feat: Implement public key authentication for server #147

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
inureyes merged 3 commits into from
Jan 22, 2026
Merged

feat: Implement public key authentication for server #147

inureyes merged 3 commits into from
Jan 22, 2026

Conversation

@inureyes
Copy link
Member

@inureyes inureyes commented Jan 22, 2026

Summary

  • Implement authentication provider infrastructure for bssh-server
  • Add PublicKeyVerifier with OpenSSH authorized_keys file parsing
  • Integrate public key authentication with SSH handler
  • Add rate limiting for authentication attempts

Changes

New Files

  • src/server/auth/mod.rs - Auth module exports
  • src/server/auth/provider.rs - AuthProvider trait definition
  • src/server/auth/publickey.rs - PublicKeyVerifier implementation

Modified Files

  • src/server/mod.rs - Export auth module
  • src/server/config.rs - Add auth configuration options
  • src/server/handler.rs - Integrate auth provider with auth_publickey

Implementation Details

AuthProvider Trait

  • verify_publickey() - Verify public key authentication
  • verify_password() - Verify password authentication (placeholder)
  • get_user_info() - Get user information after auth
  • user_exists() - Check if user exists

PublicKeyVerifier Features

  • Parse OpenSSH authorized_keys file format
  • Support multiple key types: ed25519, rsa, ecdsa
  • Parse key options (no-pty, command, from, etc.)
  • Username validation to prevent path traversal
  • File permission checks on Unix systems

Configuration Options

Two modes for authorized_keys location:

  1. Directory mode: {dir}/{username}/authorized_keys
  2. Pattern mode: /home/{user}/.ssh/authorized_keys

Security Features

  • Rate limiting for authentication attempts
  • Username validation against path traversal
  • Logging of auth attempts (success/failure)
  • File permission validation

Test plan

  • Unit tests for authorized_keys parsing
  • Unit tests for key comparison logic
  • Unit tests for path traversal prevention
  • Unit tests for AuthProvider trait implementations
  • All existing tests pass
  • Clippy passes with no warnings

Closes #126

@inureyes
feat: Implement public key authentication for server
5b97757 
Add authentication provider infrastructure for bssh-server:

- Create AuthProvider trait for extensible auth backends
- Implement PublicKeyVerifier with OpenSSH authorized_keys parsing
- Support both directory and pattern-based authorized_keys locations
- Integrate auth provider with SSH handler for auth_publickey
- Add rate limiting for authentication attempts
- Include comprehensive security features:
  - Username validation to prevent path traversal
  - File permission checks on Unix systems
  - Logging for auth attempts (success/failure)

Configuration supports two modes:
- Directory mode: {dir}/{username}/authorized_keys
- Pattern mode: /home/{user}/.ssh/authorized_keys

Closes #126
@inureyes inureyes added type:enhancement New feature or request priority:high High priority issue labels Jan 22, 2026
@inureyes
fix: address critical and high severity security issues in public key…
b5030a4 
… authentication

CRITICAL Issue Fixed:
- Fix TOCTOU race condition in load_authorized_keys by removing path.exists()
  check and handling NotFound from read operation. Use symlink_metadata to
  detect symlinks before reading.

HIGH Severity Issues Fixed:
- Add group-writable permission check (0o020) in check_file_permissions
- Fix user enumeration timing attack in user_exists by using constant-time
  behavior - always perform same operations regardless of username validity
- Add directory ownership and permission validation in load_authorized_keys
- Fix symlink check in get_user_info to use symlink_metadata

MEDIUM Issue Fixed:
- Share rate limiter across handlers via Arc to provide server-wide rate
  limiting instead of per-instance limiting

Security Improvements:
- Use symlink_metadata consistently to avoid following symlinks
- Validate parent directory permissions (not world-writable, warn on group-writable)
- Check ownership consistency between file and parent directory
- Reject both world-writable and group-writable authorized_keys files
- Prevent user enumeration through timing attacks

All tests pass with cargo test and cargo clippy.
@inureyes
chore: finalize PR with documentation and formatting
b87a744 
- Update ARCHITECTURE.md with comprehensive auth module documentation
- Add authentication module reference to docs/architecture/README.md
- Apply cargo fmt formatting to publickey.rs
@inureyes
Copy link
Member Author

inureyes commented Jan 22, 2026

PR Finalization Report

Project Structure Discovered

  • Project Type: Rust
  • Test Framework: cargo test
  • Documentation System: Plain markdown (ARCHITECTURE.md, docs/architecture/)
  • Lint Tools: cargo fmt, cargo clippy

Checklist

Tests

  • Analyzed existing test structure
  • Identified test coverage (16 tests for auth modules)
  • All tests passing (809 library tests passed)

Documentation

  • Updated ARCHITECTURE.md with comprehensive auth module documentation
    • Added Server Authentication Module section
    • Documented AuthProvider trait interface
    • Documented PublicKeyVerifier implementation details
    • Documented security features (username validation, file permission checks, symlink protection, rate limiting, timing attack mitigation)
  • Updated docs/architecture/README.md to reference auth module

Code Quality

  • cargo fmt: Applied formatting fixes to publickey.rs
  • cargo clippy -- -D warnings: Passed with no warnings

Changes Made

  • /home/inureyes/Development/backend.ai/bssh/ARCHITECTURE.md: Added 57 lines documenting the authentication module
  • /home/inureyes/Development/backend.ai/bssh/docs/architecture/README.md: Added reference to server authentication
  • /home/inureyes/Development/backend.ai/bssh/src/server/auth/publickey.rs: Formatting cleanup (11 line changes)

Test Coverage Summary

The new authentication code has comprehensive test coverage:

publickey.rs (14 tests):

  • Key type detection
  • Key options parsing (empty, no-pty, multiple options, command)
  • Config path resolution (directory, pattern, default)
  • Authorized keys parsing (comments, ed25519, with options, invalid)
  • Security tests (invalid username via path traversal, empty username)

provider.rs (2 tests):

  • RejectAllProvider behavior
  • AcceptAllProvider behavior

handler.rs (8 tests):

  • Handler creation and configuration
  • Allowed methods configuration
  • Auth attempts tracking

config.rs (12 tests):

  • Default configuration
  • Builder pattern
  • Timeouts
  • Authorized keys configuration

All verification passed. Ready for merge.

@inureyes inureyes merged commit cce72c6 into main Jan 22, 2026
2 checks passed
@inureyes inureyes deleted the feature/issue-126-publickey-auth branch January 22, 2026 08:08
@inureyes inureyes self-assigned this Jan 24, 2026
@inureyes inureyes added the status:done Completed label Jan 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@inureyes inureyes

Labels

priority:high High priority issue status:done Completed type:enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement public key authentication for server

1 participant

@inureyes