The ssh2 crate currently does not support SSH authentication when the server enforces both public key and password authentication in the same session using:
AuthenticationMethods publickey,password
This configuration requires the client to first authenticate with a public key and then provide a password before authentication is considered successful. However, ssh2-rs only supports using one method at a time and does not allow chaining authentication methods in a single session.
Steps to Reproduce:
- Configure the SSH server (
/etc/ssh/sshd_config) with:
PasswordAuthentication yes
PubkeyAuthentication yes
AuthenticationMethods publickey,password
Restart the SSH service:
sudo systemctl restart ssh
- Attempt to authenticate using
ssh2-rs with both a key and a password:
let tcp = TcpStream::connect("your.server.com:22")?;
let mut sess = Session::new().unwrap();
sess.set_tcp_stream(tcp);
sess.handshake()?;
// Public key authentication
sess.userauth_pubkey_file("your-user", None, Path::new("/path/to/private_key"), None)?; // fails here
// Password authentication
sess.userauth_password("your-user", "your-password")?;
assert!(sess.authenticated());
- The code fails with the error:
{ code: Session(-19), msg: "Invalid signature for supplied public key, or bad username/public key combination" }
- Running SSH manually on the same machine works fine:
ssh -i /path/to/private_key user@example.com
Expected Behavior:
The ssh2 crate should allow chaining authentication methods in the same session when the server enforces publickey,password.
Actual Behavior:
- The first authentication method succeeds (
userauth_pubkey_file()), but userauth_password() fails.
- If
userauth_password() is called first, userauth_pubkey_file() is never executed.
- The crate does not provide a way to handle
publickey,password authentication.
Environment:
ssh2 crate version: 0.10- Rust version:
rustc 1.82.0
- OS: Ubuntu 24.04 LTS
- SSH Server: OpenSSH_8.9p1
Additional Context:
- The issue is not related to key format (
PEM is used and works with manual SSH).
- The issue only occurs when
publickey,password is enforced by the SSH server.
The
ssh2crate currently does not support SSH authentication when the server enforces both public key and password authentication in the same session using:This configuration requires the client to first authenticate with a public key and then provide a password before authentication is considered successful. However,
ssh2-rsonly supports using one method at a time and does not allow chaining authentication methods in a single session.Steps to Reproduce:
/etc/ssh/sshd_config) with:Restart the SSH service:
ssh2-rswith both a key and a password:Expected Behavior:
The
ssh2crate should allow chaining authentication methods in the same session when the server enforcespublickey,password.Actual Behavior:
userauth_pubkey_file()), butuserauth_password()fails.userauth_password()is called first,userauth_pubkey_file()is never executed.publickey,passwordauthentication.Environment:
ssh2crate version:0.10rustc 1.82.0Additional Context:
PEMis used and works with manual SSH).publickey,passwordis enforced by the SSH server.