IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: OpenSSH sabotages protocol extension



Obviously, same thing for SSH2_MSG_USERAUTH_FAILURE:


    authlist = packet_get_string(NULL);
    partial = packet_get_char();
    packet_check_eom();


Awesome work, guys! You have locked down every possible clean way that the protocol could be extended, so as to spare the client several round-trips to discover which signing algorithms it can use for RSA keys.

You've made it so that the only way to convey such information, and not risk a client disconnect, is to use a specially crafted SSH_MSG_IGNORE.

Tremendous, just tremendous.


denis bider <ietf-ssh3%denisbider.com@localhost> , 11/5/2015 3:21 AM:
Well, I'm slightly pissed.

Why does OpenSSL do stupid shit like this?


    type = packet_read();
    if (type != SSH2_MSG_SERVICE_ACCEPT)
        fatal("Server denied authentication request: %d", type);
    if (packet_remaining() > 0) {
        char *reply = packet_get_string(NULL);
        debug2("service_accept: %s", reply);
        free(reply);
    } else {
        debug2("buggy server: service_accept w/o service");
    }
    packet_check_eom();
    debug("SSH2_MSG_SERVICE_ACCEPT received");


Note the genius inclusion of packet_check_eom() after decoding SERVICE_ACCEPT. Guess what this line does?


    #define ssh_packet_check_eom(ssh) \
    do { \
        int _len = ssh_packet_remaining(ssh); \
        if (_len > 0) { \
            logit("Packet integrity error (%d bytes remaining) at %s:%d", \
                _len ,__FILE__, __LINE__); \
            ssh_packet_disconnect(ssh, \
                "Packet integrity error."); \
        } \
    } while (0)

    #define packet_check_eom() \
        ssh_packet_check_eom(active_state)


Yes. It disconnects if there's any extra data after the recognized field in SERVICE_ACCEPT.

What possible purpose does this serve?

What possible purpose at all, other than to sabotage future extension?

Thanks to this, we cannot add a field to SERVICE_ACCEPT so that the server could advertise what signature algorithms it accepts for user authentication.

Thank you, OpenSSH. /s

Again.




Home | Main Index | Thread Index | Old Index