Do not send extra ssh_message_reply_default()

Keyboard-interactive sends a reply when it initializes, in which
case we should manipulate connection state: we have not succeeded
in auth nor have we failed.

This state needs to be recognized, so we do not call
ssh_message_reply_default(), as that translates in an immediate
SSH_MSG_USERAUTH_FAILURE, which means on retry this message will
leak into the open session, where it is not a valid command.

Change auth_ret into a tri-state, with a new -1 state.

Fixes #68.

Signed-off-by: Robert Varga <robert.varga@pantheon.tech>

Author: rovarga

src/session_server_ssh.c

@@ -855,19 +855,26 @@ nc_sshcb_auth_kbdint(struct nc_session *session, ssh_message msg)
             char echo[] = {0};
 
             ssh_message_auth_interactive_request(msg, "Interactive SSH Authentication", "Type your password:", 1, prompts, echo);
+            auth_ret = -1;
         } else {
             if (ssh_userauth_kbdint_getnanswers(session->ti.libssh.session) != 1) {// failed session
                 ssh_message_reply_default(msg);
                 return;
             }
             pass_hash = auth_password_get_pwd_hash(session->username);// get hashed password
             if (pass_hash) {
-                auth_ret = auth_password_compare_pwd(pass_hash, ssh_userauth_kbdint_getanswer(session->ti.libssh.session, 0));
+                /* Normalize auth_password_compare_pwd result to 0 or 1 */
+                auth_ret = !!auth_password_compare_pwd(pass_hash, ssh_userauth_kbdint_getanswer(session->ti.libssh.session, 0));
                 free(pass_hash);// free hashed password
             }
         }
     }
 
+    /* We have already sent a reply */
+    if (auth_ret == -1) {
+        return;
+    }
+
     /* Authenticate message based on outcome */
     if (!auth_ret) {
         session->flags |= NC_SESSION_SSH_AUTHENTICATED;