From 3e6f4464af7e90ada2bebcfeae722ac0cc0700b6 Mon Sep 17 00:00:00 2001
From: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
Date: Wed, 26 Feb 2025 16:37:13 -0800
Subject: [PATCH] make sure to include methods in deny response

---
 authorize/ssh_grpc.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/authorize/ssh_grpc.go b/authorize/ssh_grpc.go
index 96a79c39c..eca5c9497 100644
--- a/authorize/ssh_grpc.go
+++ b/authorize/ssh_grpc.go
@@ -440,11 +440,18 @@ func handleEvaluatorResponseForSSH(
 	// XXX: do we want to send an equivalent to the "show error details" output
 	//      in the case of a deny result?
 
+	methods := []string{"publickey"}
+	if slices.Contains(state.MethodsAuthenticated, "keyboard-interactive") {
+		methods = append(methods, "keyboard-interactive")
+	}
+
 	return &extensions_ssh.ServerMessage{
 		Message: &extensions_ssh.ServerMessage_AuthResponse{
 			AuthResponse: &extensions_ssh.AuthenticationResponse{
 				Response: &extensions_ssh.AuthenticationResponse_Deny{
-					Deny: &extensions_ssh.DenyResponse{},
+					Deny: &extensions_ssh.DenyResponse{
+						Methods: methods,
+					},
 				},
 			},
 		},