Re: When SSH standards noncompliance is a "feature"

[Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>]

Mouse <mouse%Rodents-Montreal.ORG@localhost> writes:

>4253 goes on to say that "[i]f the 'comments' string is included, a 'space'
>character (denoted above as SP, ASCII 32) MUST separate the 'softwareversion'
>and 'comments' strings".

So it's even worse than what I initially reported.  What it's sending isn't
just a truncated SSH ID but the truncated ID followed by a string of space
characters, which aren't immediately visible unless you're looking at a hex
dump.  In other words it's an SSH ID with the version number missing and then
a space delimiter to indicate that a comments string follows, with the
comments string missing.  Mind you since the 'softwareversion' is missing it's
not a valid SSH ID, so it's not clear whether the signalling of the presence
of a 'comments' string that doesn't exist is another problem or not.

I don't want to publicly name and shame but if someone wants the server FQDN
for testing against, let me know.  In brief, if your client can connect to
this server then it's not implementing SSH correctly.

Peter.