openssh bugs - Sep 2007 - [Bug 1361] New: ssh should handle leading comma in authentication method list

http://bugzilla.mindrot.org/show_bug.cgi?id=1361

           Summary: ssh should handle leading comma in authentication method
                    list
           Product: Portable OpenSSH
           Version: 4.7p1
          Platform: ix86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ssh
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: graeme.hewson at oracle.com


It's not possible to connect to a certain proprietary appliance using
OpenSSH.  Here's an extract from a debug log:

debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/ghewson/.ssh/identity ((nil))
debug2: key: /home/ghewson/.ssh/id_rsa ((nil))
debug2: key: /home/ghewson/.ssh/id_dsa (0x8090520)
debug1: Authentications that can continue: ,password
debug3: start over, passed a different list ,password
debug3: preferred publickey,keyboard-interactive,password
debug1: No more authentication methods to try.
Permission denied (,password).

Note there's no prompt for a password.  The problem is that the
appliance is sending a leading comma in the list of authentication
method names in the userauth response, and ssh isn't recognising the
"password" method.

RFC 4252 "SSH Authentication Protocol" talks of a
"comma-separated
name-list" and doesn't seem to rule out there being a leading comma. 
RFC 4251 "SSH Protocol Architecture" formally defines a name-list and
says it contains "a comma-separated list of zero or more names";
again,
this doesn't seem to rule out a leading comma.  Going by the principle
of "be liberal in what you accept", I believe ssh should handle this
case.  Indeed, putty (a fairly old version, 0.57) handles it, and it's
possible to log on to the appliance.

I attach a suggested patch.


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

http://bugzilla.mindrot.org/show_bug.cgi?id=1361


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX




--- Comment #1 from Damien Miller <djm at mindrot.org>  2007-09-12
21:03:03 ---
What is the endpoint that is exhibiting this behaviour?


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

http://bugzilla.mindrot.org/show_bug.cgi?id=1361





--- Comment #2 from Darren Tucker <dtucker at zip.com.au>  2007-09-12
21:14:19 ---
BTW zero-length name entries a name-list are expressly prohibited by
RFC4251:

      A string containing a comma-separated list of names.  A name-list
      is represented as a uint32 containing its length (number of bytes
      that follow) followed by a comma-separated list of zero or more
      names.  A name MUST have a non-zero length, and it MUST NOT
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      contain a comma (",").  As this is a list of names, all of the
      elements contained are names and MUST be in US-ASCII.


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

http://bugzilla.mindrot.org/show_bug.cgi?id=1361





--- Comment #3 from Graeme Hewson <graeme.hewson at oracle.com> 
2007-09-12 21:17:18 ---
It's a Netscreen firewall.  It only exhibits this behaviour when we try
to log in to the admin account, and we intend to change the config to
allow publickey,password authentication.


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

http://bugzilla.mindrot.org/show_bug.cgi?id=1361





--- Comment #4 from Graeme Hewson <graeme.hewson at oracle.com> 
2007-09-12 21:21:29 ---
I still maintain it's possible to interpret ",password" as one
name,
not as two with one having zero length.


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

http://bugzilla.mindrot.org/show_bug.cgi?id=1361


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au




--- Comment #5 from Darren Tucker <dtucker at zip.com.au>  2007-09-12
21:28:36 ---
(In reply to comment #4)
> I still maintain it's possible to interpret ",password" as
one name,
> not as two with one having zero length.
The comma is a separator.  What's it separating?


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

http://bugzilla.mindrot.org/show_bug.cgi?id=1361


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org




--- Comment #6 from Damien Miller <djm at mindrot.org>  2007-09-12
21:45:05 ---
(In reply to comment #4)
> I still maintain it's possible to interpret ",password" as
one name,
> not as two with one having zero length.
      A string containing a comma-separated list of names.  A name-list
      is represented as a uint32 containing its length (number of bytes
      that follow) followed by a comma-separated list of zero or more
      names.  A name MUST have a non-zero length, and it MUST NOT
                                                  ^^^^^^^^^^^^^^^
      contain a comma (",").  As this is a list of names, all of the
      ^^^^^^^^^^^^^^^^^^^^^^
      elements contained are names and MUST be in US-ASCII.


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1361


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added                       
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED                      




--- Comment #7 from Damien Miller <djm at mindrot.org>  2008-04-04
10:00:47 ---
Close resolved bugs after release.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.