Attempts to connect to Axway SFTP server result in publickey auth loopin

Darren Tucker dtucker at dtucker.net
Fri Feb 23 16:35:30 AEDT 2018


On 23 February 2018 at 01:49, Paul Ellis <openssh-unix-dev at skarsol.com> wrote:
> We are attempting to use openssh sftp to connect to a server that is running
> some version of the Axway SFTP server. After a publickey auth completes, the
> server resends publickey as a valid auth.

That could be potentially correct behaviour in the case where the
server requires several keys to authenticate, although it sounds like
this is not the case here.

> This results in a loop as openssh
> sftp resubmits the publickey information. This seems similar to a discussion
> in 2014 that terminated with the thought that it might be nice if the client
> tracked this
> (https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-August/032800.html).
> Is there any option we can use that will prevent this behavior?

Not currently.

> Attempts to
> contact Axway have failed as we’re not direct customers of theirs and the
> party actually running the server is blaming openssh.

You might want to direct them to RFC4252[1] section 5.1, which covers
partial authentication and says:

"""
   Already successfully completed authentications SHOULD NOT be included
   in the name-list, unless they should be performed again for some
   reason.

"""

[1] https://tools.ietf.org/html/rfc4252

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list