Handling of multiple SSH_MSG_SERVICE_REQUEST messages
Nicola Murino
nicola.murino at gmail.com
Wed Sep 10 18:22:01 AEST 2025
Il 10/09/25 01:02, Damien Miller ha scritto:
> On Wed, 10 Sep 2025, Damien Miller wrote:
>
>> On Tue, 9 Sep 2025, Nicola Murino wrote:
>>
>>> Hello,
>>>
>>> some users of the Go x/crypto/ssh library have recently reported that,
>>> unlike OpenSSH, the Go implementation does not handle multiple
>>> SSH_MSG_SERVICE_REQUEST messages.
>>>
>>> More details can be found here:
>>>
>>> https://github.com/golang/go/issues/75268
>>>
>>> According to RFC 4253, Section 10, an SSH_MSG_SERVICE_REQUEST is
>>> expected after the key exchange, after which the flow described in RFC
>>> 4252 should be followed.
>>> The Go library strictly follows this sequence, which is causing
>>> compatibility issues with the Paramiko Python library when configured to
>>> reuse the same connection.
>> IMO OpenSSH is wrong here - it shouldn't allow multiple SERVICE_REQUEST
>> Paramiko is wrong for sending them. It should send a single
>> SERVICE_REQUEST followed by as many USERAUTH_REQUEST as necessary.
> IMO the relevant RFC text that indicates that there should only be a
> single SERVICE_REQUEST for ssh-userauth is in RFC4251 section 1:
thank you! I really appreciate the quick reply and for pointing out the
relevant specs,
Nicola
>
>> The client sends a service request once a secure transport layer
>> connection has been established. A second service request is sent
>> after user authentication is complete. This allows new protocols to
>> be defined and coexist with the protocols listed above.
> If a second SERVICE_REQUEST is sent after authentication then this
> precludes multiple SERVICE_REQUESTS being sent during authentication.
>
> -d
More information about the openssh-unix-dev
mailing list