OpenSSH 6.6.x sends invalid SSH_MSG_USERAUTH_INFO_REQUEST
Darren Tucker
dtucker at zip.com.au
Tue Apr 7 15:36:28 AEST 2015
On Tue, Apr 7, 2015 at 3:08 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz>
wrote:
> Darren Tucker <dtucker at zip.com.au> writes:
> [...]
> My code checks for sane values in the fields in the packet, so it rejects
> it
> as malformed before it gets to the interesting philosophical issue of how
> to
> send a response to a request for zero responses.
IMO it's not malformed, see below.
>If it was just the prompt part of the packet, what's in the name and
> >instruction fields?
>
> Nothing. All fields are empty,
That's explicitly allowed by RFC4256. In addition to allowing zero
prompts, section 3.2 also says:
"The language tag is deprecated and SHOULD be the empty string."
and
"The name and instruction fields MAY be empty strings; the client MUST
be prepared to handle this correctly. The prompt field(s) MUST NOT
be empty strings."
> >Zero prompts is specifically allowed by RFC4256 section 3.2:
>
[...]
> Sure, but since they're also empty there's nothing to display.
So it's really
> a case of "what do you do in response to a request for zero responses?".
Do what it says in RFC4256 section 3.4?
"In the case that the server sends a `0' num-prompts field in the
request message, the client MUST send a response message with a `0'
num-responses field to complete the exchange."
I'm not sure if promulgating koans was a goal of OpenSSH.
I'd like to think one of the goals was implementing the RFCs :-)
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list