Re: Interop lsh and SSH-2.0-GitLab-SSHD

[Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>]

Mouse <mouse%Rodents-Montreal.ORG@localhost> writes:

>4252 clearly specifies (top of page 9) after describing USERAUTH_REQUEST with
>no included signature, that the server "MUST respond to this message with
>either SSH_MSG_USERAUTH_FAILURE or with the following", followed by a
>description of a SSH_MSG_USERAUTH_PK_OK message.

Lest the hand of God come down and smite you, for we all know how seriously he
takes RFCs.

Why does the RFC even allow Blackadder Authentication?  The only use for it
I've found so far is confusing servers into letting you in as someone you're
not by performing the auth in enough bits and pieces that the state machine
gets confused.  I actually had to implement a considerable amount of extra
checking in my code to make sure this can't happen, in the end I just allowed
one path through the auth process and if you don't follow that you get kicked
out.  Since I've never had any reports of this blocking access I assume all
clients more or less follow the same stereotyped silly-walk, which is probably
why I managed to log in as root when I wasn't by avoiding said stereotyped
silly-walk and the server didn't expect that.

>You two, what do you send as banner (SSH-2.0-what?)?

Just SSH-2.0-cryptlib, but I doubt gitlab would care about that unless, as you
point out, it's incorrectly fingerprinting a workaround for a bug that isn't
there.

Peter.