Re: Attempts to connect to Axway SFTP server result in publickey auth loopin

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Thu, Feb 22, 2018 at 08:49:54AM -0600, Paul Ellis wrote:
> We are attempting to use openssh sftp to connect to a server that is running
> some version of the Axway SFTP server. After a publickey auth completes, the
> server resends publickey as a valid auth. This results in a loop as openssh
> sftp resubmits the publickey information. This seems similar to a discussion
> in 2014 that terminated with the thought that it might be nice if the client
> tracked this (https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-August/032800.html).
> Is there any option we can use that will prevent this behavior?

You could try this patch which defers resetting the "tried" flag on the
pubkeys until the list of authentication methods changes.  I don't have
a server with this behaviour so I'm not sure if it helps (and I'm not
sure it's the right thing to do anyway).

diff --git a/sshconnect2.c b/sshconnect2.c
index 8138e46e0..c97a9d768 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -562,8 +562,6 @@ input_userauth_failure(int type, u_int32_t seq, struct ssh *ssh)
 
 	if (partial != 0) {
 		verbose("Authenticated with partial success.");
-		/* reset state */
-		pubkey_reset(authctxt);
 	}
 	debug("Authentications that can continue: %s", authlist);
 
@@ -1892,12 +1890,15 @@ authmethod_get(char *authlist)
 {
 	char *name = NULL;
 	u_int next;
+	struct ssh *ssh = active_state;
 
 	/* Use a suitable default if we're passed a nil list.  */
 	if (authlist == NULL || strlen(authlist) == 0)
 		authlist = options.preferred_authentications;
 
 	if (supported == NULL || strcmp(authlist, supported) != 0) {
+		/* XXX reset pubkey state */
+		pubkey_reset(ssh->authctxt);
 		debug3("start over, passed a different list %s", authlist);
 		free(supported);
 		supported = xstrdup(authlist);

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux