From 616e79c065f5b4a52ed3e5fb1e2dec643b44b1e6 Mon Sep 17 00:00:00 2001
From: Peter Krempa <pkrempa@redhat.com>
Date: Thu, 8 Dec 2022 16:24:19 +0100
Subject: [PATCH] virNetLibsshAuthenticatePassword: Use virAuthAskPassword
 instead of virAuthGetPasswordPath

virAuthGetPasswordPath can return the same password over and over if
it's configured in the config. We rather want to try that only the first
time and then ask the user instead.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Jonathon Jongsma <jjongsma@redhat.com>
---
 src/rpc/virnetlibsshsession.c | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/src/rpc/virnetlibsshsession.c b/src/rpc/virnetlibsshsession.c
index 913fa1c26d..8de7c86a41 100644
--- a/src/rpc/virnetlibsshsession.c
+++ b/src/rpc/virnetlibsshsession.c
@@ -500,6 +500,7 @@ virNetLibsshAuthenticatePrivkey(virNetLibsshSession *sess,
 static int
 virNetLibsshAuthenticatePassword(virNetLibsshSession *sess)
 {
+    g_autofree char *password = NULL;
     const char *errmsg;
     int rc = SSH_AUTH_ERROR;
 
@@ -513,19 +514,34 @@ virNetLibsshAuthenticatePassword(virNetLibsshSession *sess)
         return SSH_AUTH_ERROR;
     }
 
+    /* first try to get password from config */
+    if (virAuthGetCredential("ssh", sess->hostname, "password", sess->authPath,
+                             &password) < 0)
+        return SSH_AUTH_ERROR;
+
+    if (password) {
+        rc = ssh_userauth_password(sess->session, NULL, password);
+        virSecureEraseString(password);
+
+        if (rc == 0)
+            return SSH_AUTH_SUCCESS;
+        else if (rc != SSH_AUTH_DENIED)
+            goto error;
+    }
+
     /* Try the authenticating the set amount of times. The server breaks the
      * connection if maximum number of bad auth tries is exceeded */
     while (true) {
-        g_autofree char *password = NULL;
+        g_autoptr(virConnectCredential) cred = NULL;
+        g_autofree char *prompt = NULL;
 
-        if (!(password = virAuthGetPasswordPath(sess->authPath, sess->cred,
-                                                "ssh", sess->username,
-                                                sess->hostname)))
+        prompt = g_strdup_printf(_("Enter %s's password for %s"),
+                                 sess->username, sess->hostname);
+
+        if (!(cred = virAuthAskCredential(sess->cred, prompt, false)))
             return SSH_AUTH_ERROR;
 
-        /* tunnelled password authentication */
-        rc = ssh_userauth_password(sess->session, NULL, password);
-        virSecureEraseString(password);
+        rc = ssh_userauth_password(sess->session, NULL, cred->result);
 
         if (rc == 0)
             return SSH_AUTH_SUCCESS;
@@ -533,7 +549,7 @@ virNetLibsshAuthenticatePassword(virNetLibsshSession *sess)
             break;
     }
 
-    /* error path */
+ error:
     errmsg = ssh_get_error(sess->session);
     virReportError(VIR_ERR_AUTH_FAILED,
                    _("authentication failed: %s"), errmsg);