wolfsshd: implement PubkeyAuthentication config directive

[yosuke-wolfssl]

Description

WOLFSSHD_CONFIG declared and copied a pubKeyAuth bit field, but there was no parser, no options[] entry, and no read of it anywhere. So PubkeyAuthentication no was rejected as an unknown directive, and an admin had no way to enforce a password-only / certificate-only policy — any user with a valid authorized_keys entry could log in.

Changes

• Implement the directive — PubkeyAuthentication parser + options[] entry, accessor wolfSSHD_ConfigGetPubKeyAuth, default enabled.
• Enforce it — RequestAuthentication rejects pubkey when disabled; DefaultUserAuthTypes only advertises pubkey when enabled.
• Fix a latent core bug — disabling both auth methods made the advertised mask 0, causing GetAllowedAuth to underflow to -1 and abort the connection; now returns a clean empty-list USERAUTH_FAILURE.
• Tests — parser vectors, advertise-mask permutations (incl. both-disabled), copy/Match coverage at non-default values, and an empty-list USERAUTH_FAILURE unit test.

[Copilot]

Pull request overview

Implements support in wolfsshd for the PubkeyAuthentication configuration directive, enabling administrators to disable/enable public-key authentication, and fixes a core USERAUTH_FAILURE edge case when zero authentication methods are advertised.

Changes:

• Add PubkeyAuthentication parsing/config plumbing (option entry, default enabled, accessor).
• Enforce configuration in authentication: reject publickey auth when disabled and only advertise enabled methods.
• Fix SendUserAuthFailure empty-methods handling (avoid underflow) and add unit/regression tests for both wolfsshd and core behavior.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
wolfssh/internal.h	Adds internal-test API for SendUserAuthFailure to support regression testing.
src/internal.c	Fixes GetAllowedAuth() trailing-comma removal to correctly handle empty method lists.
tests/unit.c	Adds regression test ensuring USERAUTH_FAILURE is well-formed when advertised auth mask is 0.
apps/wolfsshd/configuration.h	Adds WOLFSSHD_STATIC test-visibility macro and wolfSSHD_ConfigGetPubKeyAuth() accessor declaration.
apps/wolfsshd/configuration.c	Implements PubkeyAuthentication directive parsing, default enable, and accessor.
apps/wolfsshd/auth.h	Exposes wolfSSHD_GetUserAuthTypes() to wolfsshd unit tests.
apps/wolfsshd/auth.c	Enforces PubkeyAuthentication and uses config-derived advertisement mask in DefaultUserAuthTypes().
apps/wolfsshd/test/test_configuration.c	Adds parser/copy/match tests for PubkeyAuthentication and tests auth-method advertisement permutations.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #1011

Scan targets checked: none
Failed targets: wolfssh-bugs, wolfssh-src

⚠️ Review incomplete — one or more scan targets failed before findings could be produced. See the Fenrir PR review detail page for logs.

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #1011

Scan targets checked: none
Failed targets: wolfssh-bugs, wolfssh-src

⚠️ Review incomplete — one or more scan targets failed before findings could be produced. See the Fenrir PR review detail page for logs.

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #1011

Scan targets checked: wolfssh-bugs, wolfssh-src

No new issues found in the changed files. ✅