High severityNVD Advisory· Published Oct 4, 2023· Updated Sep 20, 2024
Soft Serve Public Key Authentication Bypass Vulnerability when Keyboard-Interactive SSH Authentication is Enabled
CVE-2023-43809
Description
Soft Serve is a self-hostable Git server for the command line. Prior to version 0.6.2, a security vulnerability in Soft Serve could allow an unauthenticated, remote attacker to bypass public key authentication when keyboard-interactive SSH authentication is active, through the allow-keyless setting, and the public key requires additional client-side verification for example using FIDO2 or GPG. This is due to insufficient validation procedures of the public key step during SSH request handshake, granting unauthorized access if the keyboard-interaction mode is utilized. An attacker could exploit this vulnerability by presenting manipulated SSH requests using keyboard-interactive authentication mode. This could potentially result in unauthorized access to the Soft Serve. Users should upgrade to the latest Soft Serve version v0.6.2 to receive the patch for this issue. To workaround this vulnerability without upgrading, users can temporarily disable Keyboard-Interactive SSH Authentication using the allow-keyless setting.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/charmbracelet/soft-serveGo | < 0.6.2 | 0.6.2 |
Affected products
1- Range: < 0.6.2
Patches
1407c4ec72d10fix(ssh): add authentication middleware
2 files changed · +82 −0
server/ssh/middleware.go+34 −0 modified@@ -13,11 +13,45 @@ import ( "github.com/charmbracelet/soft-serve/server/sshutils" "github.com/charmbracelet/soft-serve/server/store" "github.com/charmbracelet/ssh" + "github.com/charmbracelet/wish" "github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus/promauto" "github.com/spf13/cobra" + gossh "golang.org/x/crypto/ssh" ) +// ErrPermissionDenied is returned when a user is not allowed connect. +var ErrPermissionDenied = fmt.Errorf("permission denied") + +// AuthenticationMiddleware handles authentication. +func AuthenticationMiddleware(sh ssh.Handler) ssh.Handler { + return func(s ssh.Session) { + // XXX: The authentication key is set in the context but gossh doesn't + // validate the authentication. We need to verify that the _last_ key + // that was approved is the one that's being used. + + pk := s.PublicKey() + if pk != nil { + // There is no public key stored in the context, public-key auth + // was never requested, skip + perms := s.Permissions().Permissions + if perms == nil { + wish.Fatalln(s, ErrPermissionDenied) + return + } + + // Check if the key is the same as the one we have in context + fp := perms.Extensions["pubkey-fp"] + if fp != gossh.FingerprintSHA256(pk) { + wish.Fatalln(s, ErrPermissionDenied) + return + } + } + + sh(s) + } +} + // ContextMiddleware adds the config, backend, and logger to the session context. func ContextMiddleware(cfg *config.Config, dbx *db.DB, datastore store.Store, be *backend.Backend, logger *log.Logger) func(ssh.Handler) ssh.Handler { return func(sh ssh.Handler) ssh.Handler {
server/ssh/ssh.go+48 −0 modified@@ -77,6 +77,11 @@ func NewSSHServer(ctx context.Context) (*SSHServer, error) { LoggingMiddleware, // Context middleware. ContextMiddleware(cfg, dbx, datastore, be, logger), + // Authentication middleware. + // gossh.PublicKeyHandler doesn't guarantee that the public key + // is in fact the one used for authentication, so we need to + // check it again here. + AuthenticationMiddleware, ), } @@ -91,6 +96,16 @@ func NewSSHServer(ctx context.Context) (*SSHServer, error) { return nil, err } + if config.IsDebug() { + s.srv.ServerConfigCallback = func(ctx ssh.Context) *gossh.ServerConfig { + return &gossh.ServerConfig{ + AuthLogCallback: func(conn gossh.ConnMetadata, method string, err error) { + logger.Debug("authentication", "user", conn.User(), "method", method, "err", err) + }, + } + } + } + if cfg.SSH.MaxTimeout > 0 { s.srv.MaxTimeout = time.Duration(cfg.SSH.MaxTimeout) * time.Second } @@ -130,6 +145,19 @@ func (s *SSHServer) Shutdown(ctx context.Context) error { return s.srv.Shutdown(ctx) } +func initializePermissions(ctx ssh.Context) { + perms := ctx.Permissions() + if perms == nil || perms.Permissions == nil { + perms = &ssh.Permissions{Permissions: &gossh.Permissions{}} + } + if perms.Extensions == nil { + perms.Extensions = make(map[string]string) + } + if perms.Permissions.Extensions == nil { + perms.Permissions.Extensions = make(map[string]string) + } +} + // PublicKeyAuthHandler handles public key authentication. func (s *SSHServer) PublicKeyHandler(ctx ssh.Context, pk ssh.PublicKey) (allowed bool) { if pk == nil { @@ -144,6 +172,15 @@ func (s *SSHServer) PublicKeyHandler(ctx ssh.Context, pk ssh.PublicKey) (allowed if user != nil { ctx.SetValue(proto.ContextKeyUser, user) allowed = true + + // XXX: store the first "approved" public-key fingerprint in the + // permissions block to use for authentication later. + initializePermissions(ctx) + perms := ctx.Permissions() + + // Set the public key fingerprint to be used for authentication. + perms.Extensions["pubkey-fp"] = gossh.FingerprintSHA256(pk) + ctx.SetValue(ssh.ContextKeyPermissions, perms) } return @@ -154,5 +191,16 @@ func (s *SSHServer) PublicKeyHandler(ctx ssh.Context, pk ssh.PublicKey) (allowed func (s *SSHServer) KeyboardInteractiveHandler(ctx ssh.Context, _ gossh.KeyboardInteractiveChallenge) bool { ac := s.be.AllowKeyless(ctx) keyboardInteractiveCounter.WithLabelValues(strconv.FormatBool(ac)).Inc() + + // If we're allowing keyless access, reset the public key fingerprint + if ac { + initializePermissions(ctx) + perms := ctx.Permissions() + + // XXX: reset the public-key fingerprint. This is used to validate the + // public key being used to authenticate. + perms.Extensions["pubkey-fp"] = "" + ctx.SetValue(ssh.ContextKeyPermissions, perms) + } return ac }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-mc97-99j4-vm2vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-43809ghsaADVISORY
- github.com/charmbracelet/soft-serve/commit/407c4ec72d1006cee1ff8c1775e5bcc091c2bc89ghsax_refsource_MISCWEB
- github.com/charmbracelet/soft-serve/issues/389ghsax_refsource_MISCWEB
- github.com/charmbracelet/soft-serve/releases/tag/v0.6.2ghsax_refsource_MISCWEB
- github.com/charmbracelet/soft-serve/security/advisories/GHSA-mc97-99j4-vm2vghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.