Dear all, For my thesis, I've been working on automatic inference of state machines for SSH servers. I ran into a couple of particularities regarding OpenSSH's inferred state machine, and was hoping some of you might be interested. Maybe you can even shed some light on it. Setup: I'm using LearnLib's (Java) version of the L* learning algorithm [1] to come up with sequences of textual representations of SSH messages (such as "DEBUG; DISCONNECT"). An altered version of Paramiko (Python) receives those queries and translates them to actual SSH traffic, which is sent to OpenSSH. Responses are fed to the learning algorithm, resulting in a state machine. The PDFs of inferred state machines, as well as the used messages, can be found online [2]. I've queried the the transport layer, user authentication layer and connection layer separately. Now for my questions. Assuming my results are correct, it seems that: 1) OpenSSH is extremely liberal when it comes to exchanging kexinit messsages (openssh-localhost-L1.pdf). It allows entering a key exchange without receiving a proper kexinit message at all. Since this message is required to exchange parameters, does this imply that OpenSSH will guess those when no kexinit is received? 2) OpenSSH does not allow rekeying until after correct user authentication. The RFCs specify otherwise. Is this a deliberate choice? 3) OpenSSH shows peculiar behavior in user re-authentication. Some re-authentication methods seem to be disallowed after an unsuccessful authentication attempt. You can see what I mean in openssh-localhost-L2.pdf. Is this intended behavior, a bug, or perhaps an error on my side? 4) Unlike other tested SSH servers, OpenSSH seems to close the entire connection (rather than close the channel) on a channel-close message in certain conditions. This results in the 'has_commands' and 'has_commands_pty' states in openssh-localhost-L3.pdf. I was wondering why. An error on my side, or intended behavior? I'd be more than happy to hear what you think about the results. Please let me know if you need any further information! I can also share a conceptual version of my thesis for those interested. Kind regards, Patrick [1] http://sp09.pbworks.com/f/LearningJournal.pdf [2] https://drive.google.com/folderview?id=0B6T2_FvFKPIkRGdqVDFtOXNQQWc _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev