user.name/user.password superseeded by basicAuth

[Utopiah]

Depending on the type of issue, please include the following information:

• Node and NPM Version
  • node -v v10.24.0
  • npm -v 5.8.0
• Server OS Version / Distribution / Processor Architecture
  • uname -a Linux ff0e59c9fbed 5.8.0-44-generic Update standard to the latest version 🚀 #50-Ubuntu SMP Tue Feb 9 06:29:41 UTC 2021 x86_64 GNU/Linux
  • cat /etc/os-release Debian GNU/Linux 10 (buster)
• WebSSH2 release version
  • grep version app/package.json 0.3.1
• OS and Version of SSH server connecting to
  • uname -a Linux ff0e59c9fbed 5.8.0-44-generic Update standard to the latest version 🚀 #50-Ubuntu SMP Tue Feb 9 06:29:41 UTC 2021 x86_64 GNU/Linux
  • sshd -v OpenSSH_7.9p1 Debian-10+deb10u2, OpenSSL 1.1.1d 10 Sep 2019
• Browser Version and OS
  • Firefox 88.0.1 (64-bit) on Ubuntu
• Any log or messages from the WebSSH2 output
  • WebSSH2 error: Authentication failure user=utopiah from=172.21.0.11 despite having "user": { "name": "shelltest", .. in app/config.json which unfortunately with Switch User not woking in FireFox #196 means I have to use another domain.

I had a proper setup working. I switched from IP authentication on my reverse proxy to basic auth. Unfortunately despite specifying name/password in the configuration file and maybe due to "permit usage with some SSO systems that can replay credentials over HTTP basic." it used the basicAuth. I was expecting that the configuration file, when values are defined, would prevent user modification. If this is the expected usage then I suppose, if it's not a corner case, that being able to avoid replaying basicAuth would help.

PS: to clarify, if basicAuth on my reverse proxy and the user on the target machine of WebSSH are identical, it works. This is though not what I expected when I relied on the configuration file with the other user shelltest. I'd like to be able to force that behavior.

[billchurch]

First off, great issue template usage! 🥇

If I understand your use case correctly. You authenticate to your proxy using HTTP Basic. Then you connect to the WebSSH2 instance through that proxy and you have config.json user.name and user.password populated.

Client ---> [HTTP(S) Proxy] ---> [WebSSH2]

While, it makes sense to assume that if this is defined in config.json it should override anything sent in Basic Auth, what it does in practice is "pre-authorize" so that the HTTP 401 is never sent to the client (thereby the client won't create the Authorization: Basic header)...

However, if that header is inplace (by something already upstream, or set by the client manually) it will take priority over what is in config.json.

This wasn't something I had considered when designing this, as my use-case and environment was pretty controlled, we strip all client headers off the requests as they pass through so it's not really an issue.

That being said, it makes sense for this to work as you expect it to and I'd like to add that to the list. For now, depending on the proxy you're using you may be able to strip this header off before sending requests to /ssh/ and that would prevent the override of these settings in config.json.

Tagging #242 for inclusion

[billchurch]

@Utopiah check out 0.4.0-testing-2 and see if this does what you want.

[Utopiah]

@billchurch very nice, indeed it worked now as expected!