OpenSSH 6.6.x sends invalid SSH_MSG_USERAUTH_INFO_REQUEST
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Tue Apr 7 15:08:16 AEST 2015
Darren Tucker <dtucker at zip.com.au> writes:
>Assuming that's the whole packet, I think that's a zero-prompt
>USERAUTH_INFO_REQUEST packet containing empty name, instructions and language
>strings. What do you mean by "fails a data-validity check"?
My code checks for sane values in the fields in the packet, so it rejects it
as malformed before it gets to the interesting philosophical issue of how to
send a response to a request for zero responses.
>If it was just the prompt part of the packet, what's in the name and
>instruction fields?
Nothing. All fields are empty, so if you take this (RFC 4256):
byte SSH_MSG_USERAUTH_INFO_REQUEST
[0] string name (ISO-10646 UTF-8)
[0] string instruction (ISO-10646 UTF-8)
[0] string language tag (as defined in [RFC-3066])
[0] int num-prompts
string prompt[1] (ISO-10646 UTF-8)
boolean echo[1]
...
string prompt[num-prompts] (ISO-10646 UTF-8)
boolean echo[num-prompts]
and set all fields to empty, you get 16 bytes of zeros (marked up above).
>Zero prompts is specifically allowed by RFC4256 section 3.2:
>
>" The num-prompts field may be `0', in which case there will be no
> prompt/echo fields in the message, but the client SHOULD still
> display the name and instruction fields (as described below)."
Sure, but since they're also empty there's nothing to display. So it's really
a case of "what do you do in response to a request for zero responses?". I'm
not sure if promulgating koans was a goal of OpenSSH.
Peter.
More information about the openssh-unix-dev
mailing list