Where to look next?

Darren Tucker dtucker at zip.com.au
Thu Sep 22 09:51:11 AEST 2016

On Thu, Sep 22, 2016 at 2:28 AM, Delisle, John
<john.delisle at ceridian.com> wrote:
> debug1: Remote protocol version 2.0, remote software version Welcome To Ceridian

OpenSSH should probably log it better, but this banner is weird.
According to RFC 4253 section 4.2 the format is:

      SSH-protoversion-softwareversion SP comments CR LF

so this server is claiming that its software version is "Welcome" with
a comment of "To Ceridian".

> debug3: receive packet: type 1
> Received disconnect from port 32:11: Too many bad authentication attempts!

The server sends a disconnect.

> debug1: Authentication succeeded (password).
> Authenticated to IBM.SFG.SFTP.server ([]:32).

The client thinks the session is authenticated, though.  I think
that's actually a bug in the OpenSSH client: ssh_userauth2() calls
ssh_dispatch_run() with DISPATCH_BLOCK blocking on authctxt.success.
It assumes that if it exits then it's authenticated.

ssh_packet_read_poll_seqnr(), however, will return
SSH_ERR_DISCONNECTED in that case, which will cause ssh_dispatch_run()
to return.

I don't think this is relevant to your problem, though.

Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list