On Thu, Feb 22, 2018 at 08:49:54AM -0600, Paul Ellis wrote: > We are attempting to use openssh sftp to connect to a server that is running > some version of the Axway SFTP server. After a publickey auth completes, the > server resends publickey as a valid auth. This results in a loop as openssh > sftp resubmits the publickey information. This seems similar to a discussion > in 2014 that terminated with the thought that it might be nice if the client > tracked this (https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-August/032800.html). > Is there any option we can use that will prevent this behavior? You could try this patch which defers resetting the "tried" flag on the pubkeys until the list of authentication methods changes. I don't have a server with this behaviour so I'm not sure if it helps (and I'm not sure it's the right thing to do anyway). diff --git a/sshconnect2.c b/sshconnect2.c index 8138e46e0..c97a9d768 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -562,8 +562,6 @@ input_userauth_failure(int type, u_int32_t seq, struct ssh *ssh) if (partial != 0) { verbose("Authenticated with partial success."); - /* reset state */ - pubkey_reset(authctxt); } debug("Authentications that can continue: %s", authlist); @@ -1892,12 +1890,15 @@ authmethod_get(char *authlist) { char *name = NULL; u_int next; + struct ssh *ssh = active_state; /* Use a suitable default if we're passed a nil list. */ if (authlist == NULL || strlen(authlist) == 0) authlist = options.preferred_authentications; if (supported == NULL || strcmp(authlist, supported) != 0) { + /* XXX reset pubkey state */ + pubkey_reset(ssh->authctxt); debug3("start over, passed a different list %s", authlist); free(supported); supported = xstrdup(authlist); -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev