search for: ssh2_msg_userauth_request

Hello my name is Derek Bodin. ? As a personal side project I am trying to create a java SSH2 server.? I have so far been able to work my through the transportation protocol and the user authentication protocol.? My question is when the authentication protocol starts OpenSSH will sit and hang waiting for the server to send a SSH_MSG_USERAUTH_FAILURE packet and a list of appropriate authentication

...2003 00:59:27 -0000 1.112 +++ auth2.c 1 Mar 2003 17:37:41 -0000 @@ -228,16 +228,7 @@ userauth_finish(Authctxt *authctxt, int if (authctxt->postponed) return; - /* XXX todo: check if multiple auth methods are needed */ - if (authenticated == 1) { - /* turn off userauth */ - dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); - packet_start(SSH2_MSG_USERAUTH_SUCCESS); - packet_send(); - packet_write_wait(); - /* now we can break out */ - authctxt->success = 1; - } else { + if (!authenticated) { if (authctxt->failures++ > AUTH_FAIL_MAX) { packet_disconnect(AUTH_FAIL_M...

I looked around for a while, but couldn't find any code for requiring multiple authentication mechanisms in openssh. So I wrote an implemention. I thought at first I should change the PasswordAuthentication, PubkeyAuthentication, etc. keywords to allow no/yes/required. But there's some funky stuff in auth2.c with respect to keyboard interactive auth that would make this kind of

Yo All! I have been playing with SSH 2.2.0 from www.ssh.com. I can not connect to openssh 2.2.1p1 using Ver 2 protocol from ssh Ver 2.2.0. Ver 1 works fine. See below for the debug output from both ends If I force hmac-md5 (-m hmac-md5) from the sender it works! The other 3 choices fail: hmac-sha1; hmac-md5-96; and none. I have no problem connecting to this openssh host (hobbes) from

..."The user name may be an empty string if it can be deduced from the results of the GSSAPI authentication." http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-10.txt Our modified PuTTY client has support for this; it sends a packet like this Outgoing packet type 50 / 0x32 (SSH2_MSG_USERAUTH_REQUEST) 00000000 00 00 00 00 00 00 00 0e 73 73 68 2d 63 6f 6e 6e ........ssh-conn 00000010 65 63 74 69 6f 6e 00 00 00 0f 67 73 73 61 70 69 ection....gssapi 00000020 2d 77 69 74 68 2d 6d 69 63 00 00 00 01 00 00 00 -with-mic....... 00000030 0b 06 09 2a 86 48 86 f7 12 01 02 02 ......

...platforms that support it then the correct thing happens since pam_chauthtok is run later on and if that fails the session is disconnected using fatal(). This doesn't need to be changed but it would be nice if it worked as per the draft. Similarly A client may also send a new password in the SSH2_MSG_USERAUTH_REQUEST, OpenSSH's sshd current ignores this and log's not supported. Currently an OpenSSH client receiving SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ from a server will die because that packet is not expected. I have a partial solution for the client side support of recieving a SSH_MSG_USERAUTH_PASSWD_...

...if (loginsuccess(authctxt->user?authctxt->user:"NOUSER", + get_canonical_hostname(options.reverse_mapping_check), + "ssh", &aixloginmsg) < 0) + aixloginmsg = NULL; + #endif /* WITH_AIXAUTHENTICATE */ /* turn off userauth */ dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error); packet_start(SSH2_MSG_USERAUTH_SUCCESS);

...get_string(NULL); + if (!(datafellows & SSH_BUG_PWDCHGREQ)) { + lang = packet_get_string(NULL); + xfree(lang); + } if (strlen(info) > 0) logit("%s", info); xfree(info); - xfree(lang); packet_start(SSH2_MSG_USERAUTH_REQUEST); packet_put_cstring(authctxt->server_user); packet_put_cstring(authctxt->service);

...uest_receive_expect entering: type 21 debug3: mm_request_receive entering debug1: do_cleanup And here's the relevant output from PuTTYs logfile: Event Log: Pageant is running. Requesting keys. Event Log: Pageant has 1 SSH2 keys Event Log: Trying Pageant key #0 Outgoing packet type 50 / 0x32 (SSH2_MSG_USERAUTH_REQUEST) 00000000 00 00 00 04 72 6f 6f 74 00 00 00 0e 73 73 68 2d ....root....ssh- 00000010 63 6f 6e 6e 65 63 74 69 6f 6e 00 00 00 09 70 75 connection....pu 00000020 62 6c 69 63 6b 65 79 00 00 00 00 07 73 73 68 2d blickey.....ssh- 00000030 72 73 61 00 00 00 98 00 00 00 07 73 73 68 2d 72 rsa........ssh-r 00...

...ITH_AIXAUTHENTICATE + /* We don't have a pty yet, so just label the line as "ssh" */ + if (loginsuccess(user,get_canonical_hostname(),"ssh", + &aixloginmsg) < 0) + aixloginmsg = NULL; +#endif /* WITH_AIXAUTHENTICATE */ /* turn off userauth */ dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error); packet_start(SSH2_MSG_USERAUTH_SUCCESS); --- config.h.in.orig Tue May 9 03:00:57 2000 +++ config.h.in Wed May 10 15:26:43 2000 @@ -12,6 +12,9 @@ /* Define if you want to disable PAM support */ #undef DISABLE_PAM +/* Define if you want to enable AIX4's authenticate...

...cation context"); info = packet_get_string(NULL); - lang = packet_get_string(NULL); + if (!(datafellows & SSH_BUG_PWDCHGREQ)) { + lang = packet_get_string(NULL); + xfree(lang); + } if (strlen(info) > 0) logit("%s", info); xfree(info); - xfree(lang); packet_start(SSH2_MSG_USERAUTH_REQUEST); packet_put_cstring(authctxt->server_user); packet_put_cstring(authctxt->service); [1] http://www.ietf.org/internet-drafts/draft-ietf-secsh-userauth-21.txt

...a to be signed */ + buffer_init(&b); + if (datafellows & SSH_OLD_SESSIONID) { + buffer_append(&b, session_id2, session_id2_len); + skip = session_id2_len; + } else { + buffer_put_string(&b, session_id2, session_id2_len); + skip = buffer_len(&b); + } + buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); + buffer_put_cstring(&b, authctxt->server_user); + buffer_put_cstring(&b, + datafellows & SSH_BUG_PKSERVICE ? + "ssh-userauth" : + authctxt->service); + if (datafellows & SSH_BUG_PKAUTH) { + buffer_put_char(&b, have_sig); + } else { + buffer_put_c...

...password = ssh_askpass(askpass, + "Permission denied, please try again:"); + else + password = ssh_askpass(askpass, prompt); + } else { + if (attempt != 1) + error("Permission denied, please try again."); + password = read_passphrase(prompt, 0); + } packet_start(SSH2_MSG_USERAUTH_REQUEST); packet_put_cstring(server_user); packet_put_cstring(service); @@ -374,6 +388,8 @@ Key *k; int ret = 0; struct stat st; + int interactive = isatty(STDIN_FILENO); + char *askpass = NULL; if (stat(filename, &st) != 0) { debug("key does not exist: %s", filename); @@ -38...

...; + } else { if (attempt++ >= options.number_of_password_prompts) return 0; @@ -451,6 +458,8 @@ snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ", authctxt->server_user, authctxt->host); password = read_passphrase(prompt, 0); + } + packet_start(SSH2_MSG_USERAUTH_REQUEST); packet_put_cstring(authctxt->server_user); packet_put_cstring(authctxt->service); -- /Peter ?strand <astrand at lysator.liu.se>

...); if (datafellows & SSH_OLD_SESSIONID) { buffer_append(&b, session_id2, session_id2_len); } else { - buffer_put_string(&b, session_id2, session_id2_len); + buffer_put_binary(&b, session_id2, session_id2_len); } /* reconstruct packet */ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); @@ -115,7 +115,7 @@ buffer_put_char(&b, have_sig); buffer_put_cstring(&b, pkalg); } - buffer_put_string(&b, pkblob, blen); + buffer_put_binary(&b, pkblob, blen); #ifdef DEBUG_PK buffer_dump(&b); #endif @@ -142,7 +142,7 @@ if (PRIVSEP(user_key_allowed(authc...

...if (supported->elements[mech].length < 128 && + !GSS_ERROR(ssh_gssapi_import_name(gssctxt, + authctxt->host))) { + ok = 1; /* Mechanism works */ + } else { + mech++; + } + } + + if (!ok) return 0; + + authctxt->methoddata=(void *)gssctxt; + + packet_start(SSH2_MSG_USERAUTH_REQUEST); + packet_put_cstring(authctxt->server_user); + packet_put_cstring(authctxt->service); + packet_put_cstring(authctxt->method->name); + + packet_put_int(1); + + /* Some servers encode the OID incorrectly (as we used to) */ + if (datafellows & SSH_BUG_GSSAPI_BER) { + packet_p...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |