**sshconnect.c:**

- Transer ssh_webproxy_connect() function - Transer NX conditional error messages with `NX>207` prefix - Transer NX-specific host key verification logic **sshconnect2.c:** - Reorder authentication methods for NX modes - Transer password reading from stdin for NX modes - Transer retry limit for `NxAuthOnlyModeEnabled` **readpass.c:** - Move NX wrapper `read_passphrase()` to take into account new 9.6 features (SSH_ASKPASS_REQUIRE, prompt hints)

sshconnect.c:
380d8e79 · Konstantin Artyushkin · 6d4624c1 · 380d8e79 · 380d8e79 · 380d8e79
Commit 380d8e79 authored Feb 24, 2026 by Konstantin Artyushkin
Hide whitespace changes
Inline Side-by-side

Showing with 72 additions and 3 deletions

readpass.c readpass.c +24 -0

sshconnect.c sshconnect.c +16 -0

sshconnect2.c sshconnect2.c +32 -3

No files found.
--- a/readpass.c
+++ b/readpass.c
@@ -47,6 +47,12 @@
 #include "ssh.h"
 #include "uidswap.h"

+extern int NxModeEnabled;
+extern int NxAuthOnlyModeEnabled;
+extern int NXStdinPassEnabled;
+extern int NXServerMode;
+extern int NxAdminModeEnabled;
+
 static char *
 ssh_askpass(char *askpass, const char *msg, const char *env_hint)
 {
@@ -139,6 +145,24 @@ read_passphrase(const char *prompt, int flags)
 			allow_askpass = 0;
 	}

+	/*
+	 * In NX mode, read passphrase from stdin directly
+	 * rather than from the tty or askpass.
+	 */
+	if (NxAuthOnlyModeEnabled || NxModeEnabled || NXStdinPassEnabled) {
+		rppflags = RPP_ECHO_OFF;
+		if (flags & RP_ALLOW_STDIN)
+			rppflags |= RPP_STDIN;
+		if (readpassphrase(prompt, buf, sizeof buf, rppflags) == NULL) {
+			if (flags & RP_ALLOW_EOF)
+				return NULL;
+			return xstrdup("");
+		}
+		ret = xstrdup(buf);
+		explicit_bzero(buf, sizeof(buf));
+		return ret;
+	}
+
 	rppflags = (flags & RP_ECHO) ? RPP_ECHO_ON : RPP_ECHO_OFF;
 	if (use_askpass)
 		debug_f("requested to askpass");

--- a/sshconnect.c
+++ b/sshconnect.c
@@ -67,6 +67,10 @@
 #include "authfile.h"
 #include "ssherr.h"
 #include "authfd.h"
+
+extern int NxModeEnabled;
+extern int NxAuthOnlyModeEnabled;
+extern int NxAdminModeEnabled;
 #include "kex.h"

 struct sshkey *previous_host_key = NULL;
@@ -510,6 +514,13 @@ ssh_connect_direct(struct ssh *ssh, const char *host, struct addrinfo *aitop,
 				oerrno = errno;
 				debug("connect to address %s port %s: %s",
 				    ntop, strport, strerror(errno));
+				if (NxAdminModeEnabled) {
+					fprintf(stdout, "NX> 207 nxssh: connect to address %s port %s: %s\n",
+					    ntop, strport, strerror(errno));
+				} else if (NxAuthOnlyModeEnabled) {
+					fprintf(stdout, "NX> 207 nxssh: connect to address %s port %s: %s",
+					    ntop, strport, strerror(errno));
+				}
 				close(sock);
 				sock = -1;
 				errno = oerrno;
@@ -528,6 +539,9 @@ ssh_connect_direct(struct ssh *ssh, const char *host, struct addrinfo *aitop,

 	debug("Connection established.");

+	if (NxModeEnabled)
+		logit("NX> 200 Connected to address: %.200s on port: %.200s", ntop, strport);
+
 	/* Set SO_KEEPALIVE if requested. */
 	if (want_keepalive &&
 	    setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&on,
@@ -1583,6 +1597,8 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
 	/* key exchange */
 	/* authenticate user */
 	debug("Authenticating to %s:%d as '%s'", host, port, server_user);
+	if (NxModeEnabled)
+		logit("NX> 202 Authenticating user: %.200s", server_user);
 	ssh_kex2(ssh, host, hostaddr, port, cinfo);
 	ssh_userauth2(ssh, local_user, server_user, host, sensitive);
 	free(local_user);

--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -79,6 +79,12 @@
 #include "ssh-gss.h"
 #endif

+extern int NxModeEnabled;
+extern int NxAuthOnlyModeEnabled;
+extern int NXStdinPassEnabled;
+extern int NXServerMode;
+extern int NxAdminModeEnabled;
+
 /* import */
 extern char *client_version_string;
 extern char *server_version_string;
@@ -485,8 +491,26 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,

 	ssh_dispatch_range(ssh, SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);

-	if (!authctxt.success)
-		fatal("Authentication failed.");
+	if (!authctxt.success) {
+		if (NxModeEnabled || NxAuthOnlyModeEnabled || NXServerMode || NxAdminModeEnabled) {
+			fprintf(stdout, "NX> 204 Authentication failed.\n");
+			fflush(stdout);
+			cleanup_exit(255);
+		} else {
+			fatal("Authentication failed.");
+		}
+	}
+	if (NxAuthOnlyModeEnabled) {
+		fprintf(stdout, "NX> 206 ssh-userauth2 successful: method %s\n",
+		    authctxt.method->name);
+		fflush(stdout);
+		cleanup_exit(0);
+	}
+	if (NxModeEnabled || NxAdminModeEnabled) {
+		fprintf(stdout, "NX> 208 Using auth method: %s\n",
+		    authctxt.method->name);
+		fflush(stdout);
+	}
 	if (ssh_packet_connection_is_on_socket(ssh)) {
 		verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
@@ -1053,7 +1077,12 @@ userauth_passwd(struct ssh *ssh)
 	if (authctxt->attempt_passwd != 1)
 		error("Permission denied, please try again.");

-	xasprintf(&prompt, "%s@%s's password: ", authctxt->server_user, host);
+	if (NxAuthOnlyModeEnabled || NxModeEnabled || NXStdinPassEnabled)
+		xasprintf(&prompt, "NX> 205 %s@%s's password: ",
+		    authctxt->server_user, authctxt->host);
+	else
+		xasprintf(&prompt, "%s@%s's password: ",
+		    authctxt->server_user, host);
 	password = read_passphrase(prompt, 0);
 	if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
 	    (r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 ||