bugzilla-daemon at bugzilla.mindrot.org
2007-Sep-12 10:57 UTC
[Bug 1361] New: ssh should handle leading comma in authentication method list
http://bugzilla.mindrot.org/show_bug.cgi?id=1361 Summary: ssh should handle leading comma in authentication method list Product: Portable OpenSSH Version: 4.7p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: bitbucket at mindrot.org ReportedBy: graeme.hewson at oracle.com It's not possible to connect to a certain proprietary appliance using OpenSSH. Here's an extract from a debug log: debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/ghewson/.ssh/identity ((nil)) debug2: key: /home/ghewson/.ssh/id_rsa ((nil)) debug2: key: /home/ghewson/.ssh/id_dsa (0x8090520) debug1: Authentications that can continue: ,password debug3: start over, passed a different list ,password debug3: preferred publickey,keyboard-interactive,password debug1: No more authentication methods to try. Permission denied (,password). Note there's no prompt for a password. The problem is that the appliance is sending a leading comma in the list of authentication method names in the userauth response, and ssh isn't recognising the "password" method. RFC 4252 "SSH Authentication Protocol" talks of a "comma-separated name-list" and doesn't seem to rule out there being a leading comma. RFC 4251 "SSH Protocol Architecture" formally defines a name-list and says it contains "a comma-separated list of zero or more names"; again, this doesn't seem to rule out a leading comma. Going by the principle of "be liberal in what you accept", I believe ssh should handle this case. Indeed, putty (a fairly old version, 0.57) handles it, and it's possible to log on to the appliance. I attach a suggested patch. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Sep-12 11:03 UTC
[Bug 1361] ssh should handle leading comma in authentication method list
http://bugzilla.mindrot.org/show_bug.cgi?id=1361 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX --- Comment #1 from Damien Miller <djm at mindrot.org> 2007-09-12 21:03:03 --- What is the endpoint that is exhibiting this behaviour? -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Sep-12 11:14 UTC
[Bug 1361] ssh should handle leading comma in authentication method list
http://bugzilla.mindrot.org/show_bug.cgi?id=1361 --- Comment #2 from Darren Tucker <dtucker at zip.com.au> 2007-09-12 21:14:19 --- BTW zero-length name entries a name-list are expressly prohibited by RFC4251: A string containing a comma-separated list of names. A name-list is represented as a uint32 containing its length (number of bytes that follow) followed by a comma-separated list of zero or more names. A name MUST have a non-zero length, and it MUST NOT ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ contain a comma (","). As this is a list of names, all of the elements contained are names and MUST be in US-ASCII. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Sep-12 11:17 UTC
[Bug 1361] ssh should handle leading comma in authentication method list
http://bugzilla.mindrot.org/show_bug.cgi?id=1361 --- Comment #3 from Graeme Hewson <graeme.hewson at oracle.com> 2007-09-12 21:17:18 --- It's a Netscreen firewall. It only exhibits this behaviour when we try to log in to the admin account, and we intend to change the config to allow publickey,password authentication. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Sep-12 11:21 UTC
[Bug 1361] ssh should handle leading comma in authentication method list
http://bugzilla.mindrot.org/show_bug.cgi?id=1361 --- Comment #4 from Graeme Hewson <graeme.hewson at oracle.com> 2007-09-12 21:21:29 --- I still maintain it's possible to interpret ",password" as one name, not as two with one having zero length. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Sep-12 11:28 UTC
[Bug 1361] ssh should handle leading comma in authentication method list
http://bugzilla.mindrot.org/show_bug.cgi?id=1361 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au --- Comment #5 from Darren Tucker <dtucker at zip.com.au> 2007-09-12 21:28:36 --- (In reply to comment #4)> I still maintain it's possible to interpret ",password" as one name, > not as two with one having zero length.The comma is a separator. What's it separating? -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Sep-12 11:45 UTC
[Bug 1361] ssh should handle leading comma in authentication method list
http://bugzilla.mindrot.org/show_bug.cgi?id=1361 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #6 from Damien Miller <djm at mindrot.org> 2007-09-12 21:45:05 --- (In reply to comment #4)> I still maintain it's possible to interpret ",password" as one name, > not as two with one having zero length.A string containing a comma-separated list of names. A name-list is represented as a uint32 containing its length (number of bytes that follow) followed by a comma-separated list of zero or more names. A name MUST have a non-zero length, and it MUST NOT ^^^^^^^^^^^^^^^ contain a comma (","). As this is a list of names, all of the ^^^^^^^^^^^^^^^^^^^^^^ elements contained are names and MUST be in US-ASCII. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Apr-03 23:00 UTC
[Bug 1361] ssh should handle leading comma in authentication method list
https://bugzilla.mindrot.org/show_bug.cgi?id=1361 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #7 from Damien Miller <djm at mindrot.org> 2008-04-04 10:00:47 --- Close resolved bugs after release. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.