From a016b15508e062f3cec9657d085131bdde524af1 Mon Sep 17 00:00:00 2001
From: Yves Biener <yves.biener@gmx.de>
Date: Sat, 8 Nov 2025 12:36:06 +0100
Subject: [PATCH] feat: keyboard interactive login for unlimited access
 configurations

If users are limited they are only allowed to authenticate via their ssh
private-public key-pair, which the configuration holds for each accepted
user accordingly.
---
 internal/serve/serve.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/internal/serve/serve.go b/internal/serve/serve.go
index 9fa2ad8..a1edaa8 100644
--- a/internal/serve/serve.go
+++ b/internal/serve/serve.go
@@ -15,6 +15,7 @@ import (
 	"github.com/charmbracelet/wish"
 	"github.com/charmbracelet/wish/activeterm"
 	"github.com/charmbracelet/wish/logging"
+	gossh "golang.org/x/crypto/ssh"
 )
 
 // Setup default logger to append or create a new log file `log` in the current
@@ -51,6 +52,15 @@ func setupSshServer(host string, port string, host_key_path string, users map[st
 			}
 			return false
 		}),
+		wish.WithKeyboardInteractiveAuth(func(_ ssh.Context, _ gossh.KeyboardInteractiveChallenge) bool {
+			if len(users) == 0 {
+				// no users provided, meaning there is no user authentication, everyone is allowed to connect
+				return true
+			}
+			// NOTE interactive logins through keyboard challenges shall not be allowed; use
+			// ssh public-private key-pairs instead for limited access
+			return false
+		}),
 		ssh.AllocatePty(),
 		wish.WithMiddleware(
 			func(next ssh.Handler) ssh.Handler {