From 7c2766b34bd10f0ae2dcd0b378696fb454498a76 Mon Sep 17 00:00:00 2001
From: Michael Jumper <mike.jumper@guac-dev.org>
Date: Wed, 9 Mar 2016 15:44:53 -0800
Subject: [PATCH] GUAC-1389: Abort correctly if password or
 keyboard-interactive auth fails (fixes GUAC-1381).

---
 src/common-ssh/guac_ssh.c | 47 +++++++++++++++++++++++++++++++--------
 1 file changed, 38 insertions(+), 9 deletions(-)

diff --git a/src/common-ssh/guac_ssh.c b/src/common-ssh/guac_ssh.c
index ca72703f..12156dee 100644
--- a/src/common-ssh/guac_ssh.c
+++ b/src/common-ssh/guac_ssh.c
@@ -344,19 +344,48 @@ static int guac_common_ssh_authenticate(guac_common_ssh_session* common_session)
     /* Authenticate with password, if provided */
     else if (password != NULL) {
 
-        /* Authenticate with password */
+        /* Check if password auth is supported on the server */
         if (strstr(user_authlist, "password") != NULL) {
-            guac_client_log(client, GUAC_LOG_DEBUG,
-                    "Using password authentication method");
-            return libssh2_userauth_password(session, username, password);
+
+            /* Attempt password authentication */
+            if (libssh2_userauth_password(session, username, password)) {
+
+                /* Abort on failure */
+                char* error_message;
+                libssh2_session_last_error(session, &error_message, NULL, 0);
+                guac_client_abort(client,
+                        GUAC_PROTOCOL_STATUS_CLIENT_UNAUTHORIZED,
+                        "Password authentication failed: %s", error_message);
+
+                return 1;
+            }
+
+            /* Password authentication succeeded */
+            return 0;
+
         }
 
-        /* Authenticate with password via keyboard-interactive auth */
+        /* Check if keyboard-interactive auth is supported on the server */
         if (strstr(user_authlist, "keyboard-interactive") != NULL) {
-            guac_client_log(client, GUAC_LOG_DEBUG,
-                    "Using keyboard-interactive authentication method");
-            return libssh2_userauth_keyboard_interactive(session, username,
-                    &guac_common_ssh_kbd_callback);
+
+            /* Attempt keyboard-interactive auth using provided password */
+            if (libssh2_userauth_keyboard_interactive(session, username,
+                        &guac_common_ssh_kbd_callback)) {
+
+                /* Abort on failure */
+                char* error_message;
+                libssh2_session_last_error(session, &error_message, NULL, 0);
+                guac_client_abort(client,
+                        GUAC_PROTOCOL_STATUS_CLIENT_UNAUTHORIZED,
+                        "Keyboard-interactive authentication failed: %s",
+                        error_message);
+
+                return 1;
+            }
+
+            /* Keyboard-interactive authentication succeeded */
+            return 0;
+
         }
 
         /* No known authentication types available */