OpenSSH 2.9p1 improperly caches username
Markus Friedl
markus.friedl at informatik.uni-erlangen.de
Sat May 26 23:35:31 EST 2001
On Wed, May 23, 2001 at 01:17:54PM -0600, Daniel Prevett wrote:
> OpenSSH 2.9p1 using SSH2 currently caches the username sent in
> the USERAUTH_REQUEST [none] packet. This does not allow you
> to change the username in a later authentication packet.
>
> >From SSH Authentication Protocol, section 2.1:
>
> "The user name and service are repeated in every new
> authentication attempt, and MAY change. The server implementation MUST
> carefully check them in every message,
> and MUST flush any accumulated authentication states if they change.
> If it is unable to flush some authentication
> state, it MUST disconnect if the user or service name
> changes."
>
> This behavior has been reported by users of SecureCRT attempting to
> change their username during the SSH2 authentication process.
>
> If you need any more information, please let me know.
openssh's behaviour is intentional. we don't want to allow
a change of user or service names. but we don't want to disconnect
(perhaps we should...).
there has been some discussion about this on the ietf-ssh at netbsd.org
list, but i don't remember the outcome of the discussion.
i'll look into this.
More information about the openssh-unix-dev
mailing list