OpenSSH 6.6.x sends invalid SSH_MSG_USERAUTH_INFO_REQUEST

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue Apr 7 15:08:16 AEST 2015


Darren Tucker <dtucker at zip.com.au> writes:

>Assuming that's the whole packet, I think that's a zero-prompt
>USERAUTH_INFO_REQUEST packet containing empty name, instructions and language
>strings.  What do you mean by "fails a data-validity check"?

My code checks for sane values in the fields in the packet, so it rejects it
as malformed before it gets to the interesting philosophical issue of how to
send a response to a request for zero responses.

>If it was just the prompt part of the packet, what's in the name and
>instruction fields?

Nothing.  All fields are empty, so if you take this (RFC 4256):

      byte      SSH_MSG_USERAUTH_INFO_REQUEST
[0]   string    name (ISO-10646 UTF-8)
[0]   string    instruction (ISO-10646 UTF-8)
[0]   string    language tag (as defined in [RFC-3066])
[0]   int       num-prompts
      string    prompt[1] (ISO-10646 UTF-8)
      boolean   echo[1]
      ...
      string    prompt[num-prompts] (ISO-10646 UTF-8)
      boolean   echo[num-prompts]

and set all fields to empty, you get 16 bytes of zeros (marked up above).

>Zero prompts is specifically allowed by RFC4256 section 3.2:
>
>" The num-prompts field may be `0', in which case there will be no
>   prompt/echo fields in the message, but the client SHOULD still
>   display the name and instruction fields (as described below)."

Sure, but since they're also empty there's nothing to display.  So it's really
a case of "what do you do in response to a request for zero responses?".  I'm
not sure if promulgating koans was a goal of OpenSSH.

Peter.


More information about the openssh-unix-dev mailing list