OpenSSH 2.9p1 improperly caches username
Daniel Prevett
dprevett at vandyke.com
Thu May 24 05:17:54 EST 2001
Hi guys,
OpenSSH 2.9p1 using SSH2 currently caches the username sent in
the USERAUTH_REQUEST [none] packet. This does not allow you
to change the username in a later authentication packet.
>From SSH Authentication Protocol, section 2.1:
"The user name and service are repeated in every new
authentication attempt, and MAY change. The server implementation MUST carefully check them in every message,
and MUST flush any accumulated authentication states if they change. If it is unable to flush some authentication
state, it MUST disconnect if the user or service name
changes."
This behavior has been reported by users of SecureCRT attempting to change their username during the SSH2 authentication process.
If you need any more information, please let me know.
-Daniel Prevett
Van Dyke Technologies Support
support at vandyke.com
http://www.vandyke.com
More information about the openssh-unix-dev
mailing list