Bug 1361

Summary: ssh should handle leading comma in authentication method list
Product: Portable OpenSSH Reporter: Graeme Hewson <ghewson>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: normal CC: djm, dtucker
Priority: P2    
Version: 4.7p1   
Hardware: ix86   
OS: Linux   

Description Graeme Hewson 2007-09-12 20:57:00 AEST 
It's not possible to connect to a certain proprietary appliance using OpenSSH.  Here's an extract from a debug log:

debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/ghewson/.ssh/identity ((nil))
debug2: key: /home/ghewson/.ssh/id_rsa ((nil))
debug2: key: /home/ghewson/.ssh/id_dsa (0x8090520)
debug1: Authentications that can continue: ,password
debug3: start over, passed a different list ,password
debug3: preferred publickey,keyboard-interactive,password
debug1: No more authentication methods to try.
Permission denied (,password).

Note there's no prompt for a password.  The problem is that the appliance is sending a leading comma in the list of authentication method names in the userauth response, and ssh isn't recognising the "password" method.

RFC 4252 "SSH Authentication Protocol" talks of a "comma-separated name-list" and doesn't seem to rule out there being a leading comma.  RFC 4251 "SSH Protocol Architecture" formally defines a name-list and says it contains "a comma-separated list of zero or more names"; again, this doesn't seem to rule out a leading comma.  Going by the principle of "be liberal in what you accept", I believe ssh should handle this case.  Indeed, putty (a fairly old version, 0.57) handles it, and it's possible to log on to the appliance.

I attach a suggested patch.
Comment 1 Damien Miller 2007-09-12 21:03:03 AEST 
What is the endpoint that is exhibiting this behaviour?
Comment 2 Darren Tucker 2007-09-12 21:14:19 AEST 
BTW zero-length name entries a name-list are expressly prohibited by RFC4251:

      A string containing a comma-separated list of names.  A name-list
      is represented as a uint32 containing its length (number of bytes
      that follow) followed by a comma-separated list of zero or more
      names.  A name MUST have a non-zero length, and it MUST NOT
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      contain a comma (",").  As this is a list of names, all of the
      elements contained are names and MUST be in US-ASCII.
Comment 3 Graeme Hewson 2007-09-12 21:17:18 AEST 
It's a Netscreen firewall.  It only exhibits this behaviour when we try to log in to the admin account, and we intend to change the config to allow publickey,password authentication.
Comment 4 Graeme Hewson 2007-09-12 21:21:29 AEST 
I still maintain it's possible to interpret ",password" as one name, not as two with one having zero length.
Comment 5 Darren Tucker 2007-09-12 21:28:36 AEST 
(In reply to comment #4)
> I still maintain it's possible to interpret ",password" as one name,
> not as two with one having zero length.

The comma is a separator.  What's it separating?
Comment 6 Damien Miller 2007-09-12 21:45:05 AEST 
(In reply to comment #4)
> I still maintain it's possible to interpret ",password" as one name,
> not as two with one having zero length.

      A string containing a comma-separated list of names.  A name-list
      is represented as a uint32 containing its length (number of bytes
      that follow) followed by a comma-separated list of zero or more
      names.  A name MUST have a non-zero length, and it MUST NOT
                                                  ^^^^^^^^^^^^^^^
      contain a comma (",").  As this is a list of names, all of the
      ^^^^^^^^^^^^^^^^^^^^^^
      elements contained are names and MUST be in US-ASCII.
Comment 7 Damien Miller 2008-04-04 10:00:47 AEDT 
Close resolved bugs after release.