Why hostkeys-00 at openssh.com is following user authentication?

Alon Bar-Lev alon.barlev at gmail.com
Thu Dec 24 17:12:33 AEDT 2015


On 23 December 2015 at 23:30, Damien Miller <djm at mindrot.org> wrote:
>
> On Wed, 23 Dec 2015, Alon Bar-Lev wrote:
>
> > Hello,
> >
> > This hostkeys extension is great, reading[1]:
> > """
> > OpenSSH supports a protocol extension allowing a server to inform a
> > client of all its protocol v.2 host keys after user-authentication has
> > completed.
> > """
> >
> > I wonder, why should user authentication be completed before this
> > functionality is available? This means that ssh-keyscan tool (for
> > example) cannot take advantage of the functionality.
>
> It's done this way because the only extensible messages in the protocol
> are channel and global requests, which are only valid after the
> "ssh-connection" (channels) service has been requested. This only happens
> after userauth.
>
> It would be better to do it after key exchange and before user
> authentication, but it would also be less compatible with other
> implementations.
>
> -d

Thank you for quick response!
I was under the impression that global requests can be sent before
user authentication.


More information about the openssh-unix-dev mailing list