Possible problem with sshconnect1.c in openssh-2.5.1p2

Michael Krivacek krivacek at directlink.net
Sat Mar 10 09:26:33 EST 2001

Hi all,

  I have come across a problem that seems to have been introduced
between openssh-2.3.0p1 and openssh-2.5.1.  I sadly admit that my
SSH knowledge is limited, so this problem could very well be with
the server implementation.  Hopefully someone can educate me...

  Netscreen produces hardware encryption boxes which have the
capability of being managed by SSH (protocol version 1.)  With the
2.3.0 series of OpenSSH I was able to access my Netscreen boxes
fine.  However I was initially able to connect with the 2.5.1
series.  I followed the source code and noticed a change in
sshconnect1.c between 2.3.0 and 2.5.1.  In the function
"try_password_authentication" the line:

     packet_put_string(password, strlen(password));



"ssh_put_password" appears to pad the password prior to
encrypting and sending it.

  If I modify sshconnect1.c and change
"ssh_put_password(password);" to "packet_put_string(password,strlen(password));" 
it starts working.

  What are implications of doing this?  Does it sound like the
Netscreen SSH server implementation is not correct?


Michael Krivacek

More information about the openssh-unix-dev mailing list