AW: com.jcraft.jsch.JSchException: Auth fail

Fiedler Roman Roman.Fiedler at ait.ac.at
Thu Sep 15 19:10:58 AEST 2016 

> Von: openssh-unix-dev [mailto:openssh-unix-dev-
> 
> On Thu, 15 Sep 2016, Damien Miller wrote:
> > I'm not seeing a problem here. It's logging a string, and we escape any
> > non-ASCII characters in log.c. If anything it's probably too strict
> > (wrt escaping valid UTF-8 from logs on systems that support it).
> 
> Great, thanks for confirming. That's the answer I was hoping for! :-)

I did similar testing some years ago. The escaping is fine (was already back
than). It also seems, that issues with limiting the line length were
not/never affecting OpenSSH or are already fixed - I do not remember the
products/versions tested any more. So line splitting with remote syslog when
reaching the 1024 byte limit is also impossible.

Only thing that remains seems to be, that the '[preauth]' tag is lost when
limiting the line length. This might fool some IDS system mixing up pre/post
auth disconnects for some kind of analysis (do not know if any system on the
market might have such rules). The anomaly detection algorithms we are
experimenting with could generate rules sensitive to that in the learning
phase but I have not tested, if that would really happen.

Sep 15 08:59:52 localhost sshd[2693]: error: Received disconnect from
127.0.0.1 port 47886:3:
\\373\\336'\\273\\017\\254]s\\243\\306\\030\\321\\210y\\223b\\006\\031w\\363
\\251(\\343\\264t\\226\\016
\\306.\\324\\217\\a\\020np\\220\\323\\220\\024\\001V\\0378x^\\2733\\247\\006
\\312\\226\\177\\217~V>m\\330Qv\\322\\344\\274\\210\\341\\325\\001F\\313|/\\
374)@\\234X|s*^|\\272\\252\\254\\342\\340\\244\\t\\016\\216{\\313&WR\\246\\3
11te^\\264\\356\\206#.a\\267\\375d\\245\\327\\r#H\\372\\177\\333+\\304\\243@
\\342\\001\\303:Y'|\\272v\\036 [prea

Testclient (base64 -d |tar -xj):

QlpoOTFBWSZTWcfIXoUAASJ/hMgQAEBr///TP2+fLv/v32AAAIAYQAJdrdzNy13YSoEp/qk2keU8
1PUxJoeoNDQwgAAxGmgBoIE0KMyhp6T0NRoAMJoDTQAAASRRR5T0niT00IHqeoANDQMmRoADQaBJ
JTAm0o2p6E0eUAaAAADQANqD1Pr8vutQBFChIK6pCuqWIeyQDlSWPcGpfnuMQtChb6BGGj08Vkj8
tEZfiasqJEUT56meTUJs6qYTzUFV7MD+iDOfd0w2bMIxiHWcxwkczMyxg7KEtkBlw/q4sGlqDsbZ
O+4PfRv5ZGlctVS1aSMQQYOYLYXxc6MsHm4YKIwyatOFhs6lmTMMhmnYHJpLtHRJIGVg56zQD9Iy
F314yYARmCtucAVkAOiyarCHyyzqPZRGjNme54iYmZgiTOaBih2GQNRKYab5eK9XgumFO0iX9jXG
ca/nylWaxXnM+L0yHvOHzlTtgsIM6VDWtbZ2JY8z7WNzZnUiv67QjqE29GIvHFEo4RgDBYL2jed8
P0R30p/Q2fZTBU3P63UEYq1hT66gjWWgvI0UjP/pmBiGnSZ1gU7oJyacUKZZNpBegGxFGApVaAti
ujLfAxnmkQYYnpUIGQEioQEyTdU9KLYJhRlefgSUieKnnivwr6VSryEVkZqQzVoeJ1oK4QpQICEd
PanVwLyha7asD5oFMBUCcSQ1hWoD/wQtw1WWJorwXYm2a6JS3uSxxK2olaN79nLIqUVPL9pngBhh
77BmYJUwVeottLlM5EKVMBBMx4dUIBDI+sOFqF65YDAsVjAycF5wmIcUgri3EBgjeighRTKiotjl
exsIRzIZlBVOrCT1JAf4u5IpwoSGPkL0KA==

Kind regards,
Roman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6320 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160915/6bb33c84/attachment-0001.bin>

More information about the openssh-unix-dev mailing list