Handling of multiple SSH_MSG_SERVICE_REQUEST messages

[Damien Miller]

On Wed, 10 Sep 2025, Damien Miller wrote:

> On Tue, 9 Sep 2025, Nicola Murino wrote:
> 
> > Hello,
> > 
> > some users of the Go x/crypto/ssh library have recently reported that, 
> > unlike OpenSSH, the Go implementation does not handle multiple 
> > SSH_MSG_SERVICE_REQUEST messages.
> > 
> > More details can be found here:
> > 
> > https://github.com/golang/go/issues/75268
> > 
> > According to RFC 4253, Section 10, an SSH_MSG_SERVICE_REQUEST is 
> > expected after the key exchange, after which the flow described in RFC 
> > 4252 should be followed.
> > The Go library strictly follows this sequence, which is causing 
> > compatibility issues with the Paramiko Python library when configured to 
> > reuse the same connection.
> 
> IMO OpenSSH is wrong here - it shouldn't allow multiple SERVICE_REQUEST
> Paramiko is wrong for sending them. It should send a single
> SERVICE_REQUEST followed by as many USERAUTH_REQUEST as necessary.

IMO the relevant RFC text that indicates that there should only be a
single SERVICE_REQUEST for ssh-userauth is in RFC4251 section 1:

>   The client sends a service request once a secure transport layer
>   connection has been established.  A second service request is sent
>   after user authentication is complete.  This allows new protocols to
>   be defined and coexist with the protocols listed above.

If a second SERVICE_REQUEST is sent after authentication then this
precludes multiple SERVICE_REQUESTS being sent during authentication.

-d