Re: OpenSSH 6.6.x sends invalid SSH_MSG_USERAUTH_INFO_REQUEST

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi Stephen.

I accidentally dropped you off the thread by replying to an earlier post.

The TL;DR is that I think OpenSSH's behaviour is RFC-compliant although not
optimal.

You can read the rest of the thread here:
http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-April/033789.html

On Tue, Apr 7, 2015 at 3:47 PM, Stephen Hurd <shurd@xxxxxxxxxxx> wrote:
>
> The problem was originally reported via IRC against "a couple different
> Linux distros", and I found I could reproduce with my FreeBSD 11 box so
> I added a local patch to work around it, sent it to the reporter who
> confirmed that it solved his issue.  I can try to find out the specific
> distros, though I suspect they have vendor patches as well.
>

I suspect the behaviour will be present in any system with UsePAM=yes
and KbdInteractiveAuthentication=yes (or
ChallengeResponseAuthentication=yes, from which
KbdInteractiveAuthentication gets its default value).

I also suspect you can work around it by
setting KbdInteractiveAuthentication=no and PasswordAuthentication=yes,
assuming your PAM modules are simple enough that this works.


> His system also had all the CBC ciphers disabled by default, including
> the mandatory 3des-cbc and recommended aes128-cbc, so I suspect a
> reaction to some padding oracle attack (I don't really keep up) was
> involved on his systems.  It seems that Cryptlib only does CBC, so I had
> to walk him through re-enabling those.


FWIW I don't think the ciphers have any impact on this behaviour.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux