Attempts to connect to Axway SFTP server result in publickey auth loopin
Darren Tucker
dtucker at dtucker.net
Fri Feb 23 17:01:00 AEDT 2018
On Thu, Feb 22, 2018 at 08:49:54AM -0600, Paul Ellis wrote:
> We are attempting to use openssh sftp to connect to a server that is running
> some version of the Axway SFTP server. After a publickey auth completes, the
> server resends publickey as a valid auth. This results in a loop as openssh
> sftp resubmits the publickey information. This seems similar to a discussion
> in 2014 that terminated with the thought that it might be nice if the client
> tracked this (https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-August/032800.html).
> Is there any option we can use that will prevent this behavior?
You could try this patch which defers resetting the "tried" flag on the
pubkeys until the list of authentication methods changes. I don't have
a server with this behaviour so I'm not sure if it helps (and I'm not
sure it's the right thing to do anyway).
diff --git a/sshconnect2.c b/sshconnect2.c
index 8138e46e0..c97a9d768 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -562,8 +562,6 @@ input_userauth_failure(int type, u_int32_t seq, struct ssh *ssh)
if (partial != 0) {
verbose("Authenticated with partial success.");
- /* reset state */
- pubkey_reset(authctxt);
}
debug("Authentications that can continue: %s", authlist);
@@ -1892,12 +1890,15 @@ authmethod_get(char *authlist)
{
char *name = NULL;
u_int next;
+ struct ssh *ssh = active_state;
/* Use a suitable default if we're passed a nil list. */
if (authlist == NULL || strlen(authlist) == 0)
authlist = options.preferred_authentications;
if (supported == NULL || strcmp(authlist, supported) != 0) {
+ /* XXX reset pubkey state */
+ pubkey_reset(ssh->authctxt);
debug3("start over, passed a different list %s", authlist);
free(supported);
supported = xstrdup(authlist);
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list