Re: Ambiguities in section 3.1 of the keyboard-interactive draft

To: jhutz%cmu.edu@localhost, nisse%lysator.liu.se@localhost, pgut001%cs.auckland.ac.nz@localhost
Subject: Re: Ambiguities in section 3.1 of the keyboard-interactive draft
From: pgut001%cs.auckland.ac.nz@localhost (Peter Gutmann)
Date: Thu, 30 Sep 2004 17:09:52 +1200

Jeffrey Hutzelman <jhutz%cmu.edu@localhost> writes:
>On Wednesday, September 29, 2004 03:47:16 +1200 Peter Gutmann
><pgut001%cs.auckland.ac.nz@localhost> wrote:
>>(That's pretty weird behaviour: You can't send it a standard password,
>> but you  can send it the password dressed up as keyboard-interactive auth
>> provided you  don't tell it that it's a password).
>
>You mean, that you don't randomly make up a submethod name that the server
>has never heard of?  Well, yes.

So OpenSSH's behaviour is as follows:

1. It immediately rejects attempts to auth.using any method it hasn't heard
   of.
2. The methods it doesn't reject are undocumented.

This means that the only way to talk to an OpenSSH server is to act as if
there was an implicit requirement that clients MUST NOT set the submethods
field.  With this behaviour OpenSSH isn't even compatible with itself, if a
future version of OpenSSH adds a new submethod, all current versions will
reject attempts to connect from the new version because they'll see a
submethod they don't recognise.

Peter.

Follow-Ups:
- Re: Ambiguities in section 3.1 of the keyboard-interactive draft
  - From: Jeffrey Hutzelman
- Re: Ambiguities in section 3.1 of the keyboard-interactive draft
  - From: Damien Miller

References:
- Re: Ambiguities in section 3.1 of the keyboard-interactive draft
  - From: Jeffrey Hutzelman

Prev by Date: Re: SFTP v5...
Next by Date: Re: Ambiguities in section 3.1 of the keyboard-interactive draft
Previous by Thread: Re: Ambiguities in section 3.1 of the keyboard-interactive draft
Next by Thread: Re: Ambiguities in section 3.1 of the keyboard-interactive draft
Indexes:

Home | Main Index | Thread Index | Old Index