Questions about inferred state machines for OpenSSH
P. V.
p.verleg at student.science.ru.nl
Wed Jan 27 00:43:05 AEDT 2016
Dear all,
For my thesis, I've been working on automatic inference of state
machines for SSH servers. I ran into a couple of particularities
regarding OpenSSH's inferred state machine, and was hoping some of you
might be interested. Maybe you can even shed some light on it.
Setup: I'm using LearnLib's (Java) version of the L* learning
algorithm [1] to come up with sequences of textual representations of
SSH messages (such as "DEBUG; DISCONNECT"). An altered version of
Paramiko (Python) receives those queries and translates them to actual
SSH traffic, which is sent to OpenSSH. Responses are fed to the
learning algorithm, resulting in a state machine.
The PDFs of inferred state machines, as well as the used messages, can
be found online [2]. I've queried the the transport layer, user
authentication layer and connection layer separately.
Now for my questions. Assuming my results are correct, it seems that:
1) OpenSSH is extremely liberal when it comes to exchanging kexinit
messsages (openssh-localhost-L1.pdf). It allows entering a key
exchange without receiving a proper kexinit message at all. Since this
message is required to exchange parameters, does this imply that
OpenSSH will guess those when no kexinit is received?
2) OpenSSH does not allow rekeying until after correct user
authentication. The RFCs specify otherwise. Is this a deliberate
choice?
3) OpenSSH shows peculiar behavior in user re-authentication. Some
re-authentication methods seem to be disallowed after an unsuccessful
authentication attempt. You can see what I mean in
openssh-localhost-L2.pdf. Is this intended behavior, a bug, or perhaps
an error on my side?
4) Unlike other tested SSH servers, OpenSSH seems to close the entire
connection (rather than close the channel) on a channel-close message
in certain conditions. This results in the 'has_commands' and
'has_commands_pty' states in openssh-localhost-L3.pdf. I was wondering
why. An error on my side, or intended behavior?
I'd be more than happy to hear what you think about the results.
Please let me know if you need any further information! I can also
share a conceptual version of my thesis for those interested.
Kind regards, Patrick
[1] http://sp09.pbworks.com/f/LearningJournal.pdf
[2] https://drive.google.com/folderview?id=0B6T2_FvFKPIkRGdqVDFtOXNQQWc
More information about the openssh-unix-dev
mailing list