Handling of multiple SSH_MSG_SERVICE_REQUEST messages
Damien Miller
djm at mindrot.org
Wed Sep 10 08:41:29 AEST 2025
On Tue, 9 Sep 2025, Nicola Murino wrote:
> Hello,
>
> some users of the Go x/crypto/ssh library have recently reported that,
> unlike OpenSSH, the Go implementation does not handle multiple
> SSH_MSG_SERVICE_REQUEST messages.
>
> More details can be found here:
>
> https://github.com/golang/go/issues/75268
>
> According to RFC 4253, Section 10, an SSH_MSG_SERVICE_REQUEST is
> expected after the key exchange, after which the flow described in RFC
> 4252 should be followed.
> The Go library strictly follows this sequence, which is causing
> compatibility issues with the Paramiko Python library when configured to
> reuse the same connection.
IMO OpenSSH is wrong here - it shouldn't allow multiple SERVICE_REQUEST
Paramiko is wrong for sending them. It should send a single
SERVICE_REQUEST followed by as many USERAUTH_REQUEST as necessary.
I'll make a patch to enforce the state machine more rigorously here.
-d
More information about the openssh-unix-dev
mailing list