Peter Gutmann
2015-Apr-07 05:08 UTC
OpenSSH 6.6.x sends invalid SSH_MSG_USERAUTH_INFO_REQUEST
Darren Tucker <dtucker at zip.com.au> writes:>Assuming that's the whole packet, I think that's a zero-prompt >USERAUTH_INFO_REQUEST packet containing empty name, instructions and language >strings. What do you mean by "fails a data-validity check"?My code checks for sane values in the fields in the packet, so it rejects it as malformed before it gets to the interesting philosophical issue of how to send a response to a request for zero responses.>If it was just the prompt part of the packet, what's in the name and >instruction fields?Nothing. All fields are empty, so if you take this (RFC 4256): byte SSH_MSG_USERAUTH_INFO_REQUEST [0] string name (ISO-10646 UTF-8) [0] string instruction (ISO-10646 UTF-8) [0] string language tag (as defined in [RFC-3066]) [0] int num-prompts string prompt[1] (ISO-10646 UTF-8) boolean echo[1] ... string prompt[num-prompts] (ISO-10646 UTF-8) boolean echo[num-prompts] and set all fields to empty, you get 16 bytes of zeros (marked up above).>Zero prompts is specifically allowed by RFC4256 section 3.2: > >" The num-prompts field may be `0', in which case there will be no > prompt/echo fields in the message, but the client SHOULD still > display the name and instruction fields (as described below)."Sure, but since they're also empty there's nothing to display. So it's really a case of "what do you do in response to a request for zero responses?". I'm not sure if promulgating koans was a goal of OpenSSH. Peter.
Darren Tucker
2015-Apr-07 05:36 UTC
OpenSSH 6.6.x sends invalid SSH_MSG_USERAUTH_INFO_REQUEST
On Tue, Apr 7, 2015 at 3:08 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:> Darren Tucker <dtucker at zip.com.au> writes: > [...] > My code checks for sane values in the fields in the packet, so it rejects > it > as malformed before it gets to the interesting philosophical issue of how > to > send a response to a request for zero responses.IMO it's not malformed, see below.>If it was just the prompt part of the packet, what's in the name and > >instruction fields? > > Nothing. All fields are empty,That's explicitly allowed by RFC4256. In addition to allowing zero prompts, section 3.2 also says: "The language tag is deprecated and SHOULD be the empty string." and "The name and instruction fields MAY be empty strings; the client MUST be prepared to handle this correctly. The prompt field(s) MUST NOT be empty strings."> >Zero prompts is specifically allowed by RFC4256 section 3.2: >[...]> Sure, but since they're also empty there's nothing to display.So it's really> a case of "what do you do in response to a request for zero responses?".Do what it says in RFC4256 section 3.4? "In the case that the server sends a `0' num-prompts field in the request message, the client MUST send a response message with a `0' num-responses field to complete the exchange." I'm not sure if promulgating koans was a goal of OpenSSH. I'd like to think one of the goals was implementing the RFCs :-) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.