Darren Tucker dtucker at
Tue Apr 7 17:11:02 AEST 2015

Hi Stephen.

I accidentally dropped you off the thread by replying to an earlier post.

The TL;DR is that I think OpenSSH's behaviour is RFC-compliant although not

You can read the rest of the thread here:

On Tue, Apr 7, 2015 at 3:47 PM, Stephen Hurd <shurd at> wrote:
> The problem was originally reported via IRC against "a couple different
> Linux distros", and I found I could reproduce with my FreeBSD 11 box so
> I added a local patch to work around it, sent it to the reporter who
> confirmed that it solved his issue.  I can try to find out the specific
> distros, though I suspect they have vendor patches as well.

I suspect the behaviour will be present in any system with UsePAM=yes
and KbdInteractiveAuthentication=yes (or
ChallengeResponseAuthentication=yes, from which
KbdInteractiveAuthentication gets its default value).

I also suspect you can work around it by
setting KbdInteractiveAuthentication=no and PasswordAuthentication=yes,
assuming your PAM modules are simple enough that this works.

> His system also had all the CBC ciphers disabled by default, including
> the mandatory 3des-cbc and recommended aes128-cbc, so I suspect a
> reaction to some padding oracle attack (I don't really keep up) was
> involved on his systems.  It seems that Cryptlib only does CBC, so I had
> to walk him through re-enabling those.

FWIW I don't think the ciphers have any impact on this behaviour.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list