Re: authentication and debug messages.

["Joseph Galbraith" <galb-list%vandyke.com@localhost>]

> are messages of type SSH_MSG_DEBUG allowed during authentication?
> 
> can I replay to a SSH_MSG_USERAUTH_REQUEST message with SSH_MSG_DEBUG
> and SSH_MSG_USERAUTH_FAILURE?
> 
> our server currenlty sends debug messages during public key
> authentication, some clients seem to consider this as protocol
> violations. i'm not sure how to interpret the drafts, they are not
> clear about when SSH_MSG_DEBUG messages are allowed.
> 
> e.g. the userauth draft states:
> 
>         The server MUST respond with SSH_MSG_USERAUTH_SUCCESS (if
>         no more authentications are needed), or SSH_MSG_USERAUTH_FAILURE
>         (if the request failed, or more authentications are needed).
> 
> so it seems SSH_MSG_DEBUG is not allowed at this point.
> should SSH_MSG_DEBUG be allowed? at least it would help
> debugging authentication problems....

Hmmm... I would think that higher protocol layers shouldn't
be able to constrain lower protocol layers -- which would
mean the DEBUG messages can be sent at any time which
the transport draft allows them.

Similarly, IGNORE messages, or even key exchange messages,
should be allowed at anytime the transport draft allows them,
regardless of what service is running, or what state it is in.

In fact, for the most part, I think the service, such as userauth
and connection, are supposed to be pretty ignorant of the
transport -- if you think about it, the connection service
really isn't tied to the ssh transport, and could run over
another transport if someone wanted to.

- Joseph Galbraith
galb-list%vandyke.com@localhost