Skip to content

feat: Implement public key authentication for server#147

Merged
inureyes merged 3 commits intomainfrom
feature/issue-126-publickey-auth
Jan 22, 2026
Merged

feat: Implement public key authentication for server#147
inureyes merged 3 commits intomainfrom
feature/issue-126-publickey-auth

Conversation

@inureyes
Copy link
Member

@inureyes inureyes commented Jan 22, 2026

Summary

  • Implement authentication provider infrastructure for bssh-server
  • Add PublicKeyVerifier with OpenSSH authorized_keys file parsing
  • Integrate public key authentication with SSH handler
  • Add rate limiting for authentication attempts

Changes

New Files

  • src/server/auth/mod.rs - Auth module exports
  • src/server/auth/provider.rs - AuthProvider trait definition
  • src/server/auth/publickey.rs - PublicKeyVerifier implementation

Modified Files

  • src/server/mod.rs - Export auth module
  • src/server/config.rs - Add auth configuration options
  • src/server/handler.rs - Integrate auth provider with auth_publickey

Implementation Details

AuthProvider Trait

  • verify_publickey() - Verify public key authentication
  • verify_password() - Verify password authentication (placeholder)
  • get_user_info() - Get user information after auth
  • user_exists() - Check if user exists

PublicKeyVerifier Features

  • Parse OpenSSH authorized_keys file format
  • Support multiple key types: ed25519, rsa, ecdsa
  • Parse key options (no-pty, command, from, etc.)
  • Username validation to prevent path traversal
  • File permission checks on Unix systems

Configuration Options

Two modes for authorized_keys location:

  1. Directory mode: {dir}/{username}/authorized_keys
  2. Pattern mode: /home/{user}/.ssh/authorized_keys

Security Features

  • Rate limiting for authentication attempts
  • Username validation against path traversal
  • Logging of auth attempts (success/failure)
  • File permission validation

Test plan

  • Unit tests for authorized_keys parsing
  • Unit tests for key comparison logic
  • Unit tests for path traversal prevention
  • Unit tests for AuthProvider trait implementations
  • All existing tests pass
  • Clippy passes with no warnings

Closes #126

@inureyes
feat: Implement public key authentication for server
5b97757 
Add authentication provider infrastructure for bssh-server:

- Create AuthProvider trait for extensible auth backends
- Implement PublicKeyVerifier with OpenSSH authorized_keys parsing
- Support both directory and pattern-based authorized_keys locations
- Integrate auth provider with SSH handler for auth_publickey
- Add rate limiting for authentication attempts
- Include comprehensive security features:
  - Username validation to prevent path traversal
  - File permission checks on Unix systems
  - Logging for auth attempts (success/failure)

Configuration supports two modes:
- Directory mode: {dir}/{username}/authorized_keys
- Pattern mode: /home/{user}/.ssh/authorized_keys

Closes #126
@inureyes inureyes added type:enhancement New feature or request priority:high High priority issue labels Jan 22, 2026
@inureyes
fix: address critical and high severity security issues in public key…
b5030a4 
… authentication

CRITICAL Issue Fixed:
- Fix TOCTOU race condition in load_authorized_keys by removing path.exists()
  check and handling NotFound from read operation. Use symlink_metadata to
  detect symlinks before reading.

HIGH Severity Issues Fixed:
- Add group-writable permission check (0o020) in check_file_permissions
- Fix user enumeration timing attack in user_exists by using constant-time
  behavior - always perform same operations regardless of username validity
- Add directory ownership and permission validation in load_authorized_keys
- Fix symlink check in get_user_info to use symlink_metadata

MEDIUM Issue Fixed:
- Share rate limiter across handlers via Arc to provide server-wide rate
  limiting instead of per-instance limiting

Security Improvements:
- Use symlink_metadata consistently to avoid following symlinks
- Validate parent directory permissions (not world-writable, warn on group-writable)
- Check ownership consistency between file and parent directory
- Reject both world-writable and group-writable authorized_keys files
- Prevent user enumeration through timing attacks

All tests pass with cargo test and cargo clippy.
@inureyes
chore: finalize PR with documentation and formatting
b87a744 
- Update ARCHITECTURE.md with comprehensive auth module documentation
- Add authentication module reference to docs/architecture/README.md
- Apply cargo fmt formatting to publickey.rs
@inureyes
Copy link
Member Author

inureyes commented Jan 22, 2026

PR Finalization Report

Project Structure Discovered

  • Project Type: Rust
  • Test Framework: cargo test
  • Documentation System: Plain markdown (ARCHITECTURE.md, docs/architecture/)
  • Lint Tools: cargo fmt, cargo clippy

Checklist

Tests

  • Analyzed existing test structure
  • Identified test coverage (16 tests for auth modules)
  • All tests passing (809 library tests passed)

Documentation

  • Updated ARCHITECTURE.md with comprehensive auth module documentation
    • Added Server Authentication Module section
    • Documented AuthProvider trait interface
    • Documented PublicKeyVerifier implementation details
    • Documented security features (username validation, file permission checks, symlink protection, rate limiting, timing attack mitigation)
  • Updated docs/architecture/README.md to reference auth module

Code Quality

  • cargo fmt: Applied formatting fixes to publickey.rs
  • cargo clippy -- -D warnings: Passed with no warnings

Changes Made

  • /home/inureyes/Development/backend.ai/bssh/ARCHITECTURE.md: Added 57 lines documenting the authentication module
  • /home/inureyes/Development/backend.ai/bssh/docs/architecture/README.md: Added reference to server authentication
  • /home/inureyes/Development/backend.ai/bssh/src/server/auth/publickey.rs: Formatting cleanup (11 line changes)

Test Coverage Summary

The new authentication code has comprehensive test coverage:

publickey.rs (14 tests):

  • Key type detection
  • Key options parsing (empty, no-pty, multiple options, command)
  • Config path resolution (directory, pattern, default)
  • Authorized keys parsing (comments, ed25519, with options, invalid)
  • Security tests (invalid username via path traversal, empty username)

provider.rs (2 tests):

  • RejectAllProvider behavior
  • AcceptAllProvider behavior

handler.rs (8 tests):

  • Handler creation and configuration
  • Allowed methods configuration
  • Auth attempts tracking

config.rs (12 tests):

  • Default configuration
  • Builder pattern
  • Timeouts
  • Authorized keys configuration

All verification passed. Ready for merge.

@inureyes inureyes merged commit cce72c6 into main Jan 22, 2026
2 checks passed
@inureyes inureyes deleted the feature/issue-126-publickey-auth branch January 22, 2026 08:08
@inureyes inureyes self-assigned this Jan 24, 2026
@inureyes inureyes added the status:done Completed label Jan 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@inureyes inureyes

Labels

priority:high High priority issue status:done Completed type:enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement public key authentication for server

1 participant

@inureyes