search for: extra_pad

...Assignee: unassigned-bugs at mindrot.org Reporter: Torben.Hansen.2015 at rhul.ac.uk This concerns part of the function ssh_packet_send2_wrapped() in the file packet.c. The functionality of adding extra padding contains two integer overflows which can be triggered for certain values of extra_pad, block_size and len. Firstly, the computation roundup(state->extra_pad, block_size) can return 0 for certain values of extra_pad and block_size. This causes state->extra_pad = 0 but this variable is used subsequently in a modular operation. Secondly, the assignment padlen += pad might overflo...

I'm reading this fine article on O'Reilly: http://linux.oreillynet.com/lpt/a//linux/2001/11/08/ssh_keystroke.html <quote> The paper concludes that the keystroke timing data observable from today's SSH implementations reveals a dangerously significant amount of information about user terminal sessions--enough to locate typed passwords in the session data stream and reduce the

...n or so, long enough for the "Timeout before authentication for %s" alarm to trigger. If at that point I enter my password ssh will just sit there: debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password: debug3: packet_send2: adding 32 (len 18 padlen 14 extra_pad 64) And the sshd will be in this state: Attaching to program: `/private/tmp/OpenSSH.roots/OpenSSH~obj/sshd', process 26589. Reading symbols for shared libraries ...................... done 0x9002cf88 in semaphore_wait_trap () (gdb) bt #0 0x9002cf88 in semaphore_wait_trap () #1 0x9006153c i...

...as defined in [RFC3066] ... </snip> I tested with the OpenBSD ssh client and portable ssh in cygwin. It specifically doesn't send the language tag. Here is the tail of ssh -vvv, <snip> debug1: Next authentication method: password debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64) debug2: we sent a password packet, wait for reply debug2: input_userauth_passwd_changereq buffer_get: trying to get more bytes 4 than in buffer 0 </snip> I stepped through in the debugger to see that I do get the password change prompt and then we barf when we try to get the lang string...

...info_req_seen debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: next auth method to try is password root at 192.168.100.1's password: debug1: packet_send2: adding 48 (len 61 padlen 19 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: authentications that can continue: publickey,password,keyboard-interactive Permission denied, please try again. root at 192.168.100.1's password: debug1: packet_send2: adding 48 (len 61 padlen 19 extra_pad 64) debug2: we sent a pass...

...board-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password: debug3: packet_send2: adding 32 (len 22 padlen 10 extra_pad 64) debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 0 debug3: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64) debug1: Authentication succeeded (keyboard-interactive). debug2: fd 4 setting O_NONBLOCK debug3: fd 5 is O_NONBLOCK debug1: channel 0: new [client-sessio...

...lhost... sam at localhost's password: Couldn't read packet: Connection reset by peer -- If I remove sam from the users group, he can SFTP fine, but isn't chrooted. Using -vvv, I get the following: ----- sam at localhost's password: debug3: packet_send2: adding 64 (len 56 padlen 8 extra_pad 64) debug2: we sent a password packet, wait for reply debug3: Wrote 144 bytes for a total of 1639 debug1: Authentication succeeded (password). debug2: fd 4 setting O_NONBLOCK debug3: fd 5 is O_NONBLOCK debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel...

...erver_config: filename /opt/ssh/etc/sshd_config debug2: load_server_config: done config len = 331 debug2: parse_server_config: config /opt/ssh/etc/sshd_config len 331 ssh: debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 0 debug3: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64) debug1: Authentication succeeded (keyboard-interactive). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 -- Michael

...eyboard-interactive,password debug3: authmethod_is_enabled password debug1: Next authentication method: password admin at router's password: ^ The password prompt works fine and blocks wrong passwords properly. This is a failed connection -> debug3: packet_send2: adding 56 (len 61 padlen 11 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentication succeeded (password). debug2: fd 5 setting O_NONBLOCK debug3: fd 6 is O_NONBLOCK debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Requesting no-more-ses...

...hroot, using SFTP and SSH. I guess for an interactive SSH session I may be missing some required system files inside the jail- but I really only need SFTP for this account. Thanks Simon The last ouput from the ssh -vvv command is below:- debug3: packet_send2: adding 48 (len 63 padlen 17 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentication succeeded (password). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Entering interactive session. debug2: callback start debug2: client_session2_setu...

...seen debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: next auth method to try is password mkhurana at unix1.andrew.cmu.edu's password: debug1: packet_send2: adding 48 (len 62 padlen 18 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: ssh-userauth2 successful: method password debug3: clear hostkey 0 debug3: clear hostkey 1 debug3: clear hostkey 2 debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug1: send channel open 0 debug1: Enter...

...yboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password: debug3: packet_send2: adding 32 (len 24 padlen 8 extra_pad 64) debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 0 debug3: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64) debug1: Authentication succeeded (keyboard-interactive). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channe...

...no info_req_seen debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: Next authentication method: password amandabackup at lb1's password: debug3: packet_send2: adding 48 (len 67 padlen 13 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentication succeeded (password). Authenticated to lb1 ([192.168.1.23]:22). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Requesting no-more-sessions at openssh....

Hello I think I've found a bug but since no one replied to me on comp.security.ssh, I'll try my luck here. On my client, PreferredAuthentications is set to publickey,password. When using the commands option in authorized_keys file like command="ls" ssh-dss <key>... it is supposed to connect using the private key associated with <key>, perform ls and then quits.

...keyboard-interactive debug1: next auth method to try is keyboard-interactive debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is password ballen at dirac.phys.uwm.edu's password: debug1: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64) debug1: ssh-userauth2 successful: method password debug1: channel 0: new [client-session] debug1: send channel open 0 debug1: Entering interactive session. debug1: ssh_session2_setup: id 0 debug1: channel request 0: pty-req debug1: Requesting X11 forwarding with authentication spoofing. debug1:...

We installed openssh 3.1p1 on our Solaris 2.8 machine using gcc 2.95.2. During the installation, we modified ssh_config and sshd_config to enable X11 and agent forwarding. In sshd_config, we changed the following line to read: X11Forwarding yes In ssh_config, we changed the following two lines to read: ForwardAgent yes ForwardX11 yes Both files are set to permission readable

...h method to try is publickey debug1: try pubkey: /home/art/.ssh/id_rsa debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is keyboard-interactive otp-md5 391 bu2613 ext S/Key Password: debug1: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64) Connection closed by se.rv.er.ip debug1: Calling cleanup 0x1b7e0(0x0) $ Script done on Wed Dec 19 11:38:08 2001 -------------- next part -------------- Script started on Wed Dec 19 11:40:22 2001 [greg at bum tmp]$ sudo /usr/sbin/sshd -ddd -p 2222 debug1: sshd version OpenSSH_2.9 FreeBSD locali...

...tion method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug3: Received SSH2_MSG_IGNORE debug2: input_userauth_info_req PAM Authentication debug2: input_userauth_info_req: num_prompts 1 debug3: packet_send2: adding 32 (len 26 padlen 6 extra_pad 64) debug3: Received SSH2_MSG_IGNORE Authenticated with partial success. debug1: Authentications that can continue: password,publickey debug3: start over, passed a different list password,publickey debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3:...

...tions that can continue: publickey,password debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password debug3: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentication succeeded (password). debug2: fd 5 setting O_NONBLOCK debug2: fd 6 setting O_NONBLOCK debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Entering interact...

...able: no info_req_seen debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: next auth method to try is password steve at bgvx10's password: debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: ssh-userauth2 successful: method password debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug1: send channel open 0 debug1: Entering interactive session. debug2: callback start debug1: ssh_session2_set...