OpenSSH 6.6.x sends invalid SSH_MSG_USERAUTH_INFO_REQUEST
Darren Tucker
dtucker at zip.com.au
Tue Apr 7 17:11:02 AEST 2015
Hi Stephen.
I accidentally dropped you off the thread by replying to an earlier post.
The TL;DR is that I think OpenSSH's behaviour is RFC-compliant although not
optimal.
You can read the rest of the thread here:
http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-April/033789.html
On Tue, Apr 7, 2015 at 3:47 PM, Stephen Hurd <shurd at sasktel.net> wrote:
>
> The problem was originally reported via IRC against "a couple different
> Linux distros", and I found I could reproduce with my FreeBSD 11 box so
> I added a local patch to work around it, sent it to the reporter who
> confirmed that it solved his issue. I can try to find out the specific
> distros, though I suspect they have vendor patches as well.
>
I suspect the behaviour will be present in any system with UsePAM=yes
and KbdInteractiveAuthentication=yes (or
ChallengeResponseAuthentication=yes, from which
KbdInteractiveAuthentication gets its default value).
I also suspect you can work around it by
setting KbdInteractiveAuthentication=no and PasswordAuthentication=yes,
assuming your PAM modules are simple enough that this works.
> His system also had all the CBC ciphers disabled by default, including
> the mandatory 3des-cbc and recommended aes128-cbc, so I suspect a
> reaction to some padding oracle attack (I don't really keep up) was
> involved on his systems. It seems that Cryptlib only does CBC, so I had
> to walk him through re-enabling those.
FWIW I don't think the ciphers have any impact on this behaviour.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list