Re: OpenSSH sabotages protocol extension

[Damien Miller <djm%mindrot.org@localhost>]

On Thu, 5 Nov 2015, denis bider wrote:

> Obviously, same thing for SSH2_MSG_USERAUTH_FAILURE:
> 
> 
>     authlist = packet_get_string(NULL);
>     partial = packet_get_char();
>     packet_check_eom();

RFC4242 section 5.1. I'll quote it for you:

> 5.1.  Responses to Authentication Requests
> 
>    If the server rejects the authentication request, it MUST respond
>    with the following:
> 
>       byte         SSH_MSG_USERAUTH_FAILURE
>       name-list    authentications that can continue
>       boolean      partial success

Note the lack of extension fields and the "MUST".

> Awesome work, guys! You have locked down every possible clean way that the
> protocol could be extended, so as to spare the client several round-trips to
> discover which signing algorithms it can use for RSA keys.

It sounds like you want to redefine the information flow of public key
authentication. If you want to do this (and I don't think it is a good
idea - I'll comment separately on the draft), then the right way to do
it is to design a new authentication method that can be negotiated by
implementations that support it.

By implementing a new "publickey2" (or whatever) method, you get to
define new SSH_MSG_USERAUTH messages, which is basically what you are
trying to do here.

> You've made it so that the only way to convey such information, and not risk
> a client disconnect, is to use a specially crafted SSH_MSG_IGNORE.

Again, RFC4252 made it this way. We just implemented it as it was written.

-d