Re: authentication and debug messages.

[Markus Friedl <markus%openbsd.org@localhost>]

On Fri, Sep 14, 2001 at 02:24:37PM -0600, Joseph Galbraith wrote:
> > are messages of type SSH_MSG_DEBUG allowed during authentication?
> > 
> > can I replay to a SSH_MSG_USERAUTH_REQUEST message with SSH_MSG_DEBUG
> > and SSH_MSG_USERAUTH_FAILURE?
> > 
> > our server currenlty sends debug messages during public key
> > authentication, some clients seem to consider this as protocol
> > violations. i'm not sure how to interpret the drafts, they are not
> > clear about when SSH_MSG_DEBUG messages are allowed.
> > 
> > e.g. the userauth draft states:
> > 
> >         The server MUST respond with SSH_MSG_USERAUTH_SUCCESS (if
> >         no more authentications are needed), or SSH_MSG_USERAUTH_FAILURE
> >         (if the request failed, or more authentications are needed).
> > 
> > so it seems SSH_MSG_DEBUG is not allowed at this point.
> > should SSH_MSG_DEBUG be allowed? at least it would help
> > debugging authentication problems....
> 
> Hmmm... I would think that higher protocol layers shouldn't
> be able to constrain lower protocol layers -- which would
> mean the DEBUG messages can be sent at any time which
> the transport draft allows them.

yes, this is what i think, but it get reports that 3.0.x from
ssh.com complains about protocol violations if i send
SSH_MSG_DEBUG during authentication.

-m