Handling of multiple SSH_MSG_SERVICE_REQUEST messages
Nicola Murino
nicola.murino at gmail.com
Tue Sep 9 20:20:14 AEST 2025
Hello,
some users of the Go x/crypto/ssh library have recently reported that,
unlike OpenSSH, the Go implementation does not handle multiple
SSH_MSG_SERVICE_REQUEST messages.
More details can be found here:
https://github.com/golang/go/issues/75268
According to RFC 4253, Section 10, an SSH_MSG_SERVICE_REQUEST is
expected after the key exchange, after which the flow described in RFC
4252 should be followed.
The Go library strictly follows this sequence, which is causing
compatibility issues with the Paramiko Python library when configured to
reuse the same connection.
Below are logs illustrating how OpenSSH handles this scenario:
set 05 18:26:53 p16s sshd-session[62086]: debug3: userauth_finish:
failure partial=0 next methods="publickey,password" [preauth]
set 05 18:26:53 p16s sshd-session[62086]: debug3: send packet: type 51
[preauth]
set 05 18:26:53 p16s sshd-session[62086]: debug3: receive packet: type 5
[preauth]
set 05 18:26:53 p16s sshd-session[62086]: debug3: send packet: type 6
[preauth]
set 05 18:26:53 p16s sshd-session[62086]: debug3: receive packet: type
50 [preauth]
Is this behavior in OpenSSH intentional, perhaps for compatibility with
clients beyond Paramiko?
We ask to understand if it would be worthwhile to align the Go
implementation with OpenSSH’s handling.
Generally, we prefer to maintain stricter adherence to the RFC (in the
Go library) unless there is a clear compatibility need.
Thank you in advance,
Regards
Nicola
More information about the openssh-unix-dev
mailing list