It's not possible to connect to a certain proprietary appliance using OpenSSH. Here's an extract from a debug log: debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/ghewson/.ssh/identity ((nil)) debug2: key: /home/ghewson/.ssh/id_rsa ((nil)) debug2: key: /home/ghewson/.ssh/id_dsa (0x8090520) debug1: Authentications that can continue: ,password debug3: start over, passed a different list ,password debug3: preferred publickey,keyboard-interactive,password debug1: No more authentication methods to try. Permission denied (,password). Note there's no prompt for a password. The problem is that the appliance is sending a leading comma in the list of authentication method names in the userauth response, and ssh isn't recognising the "password" method. RFC 4252 "SSH Authentication Protocol" talks of a "comma-separated name-list" and doesn't seem to rule out there being a leading comma. RFC 4251 "SSH Protocol Architecture" formally defines a name-list and says it contains "a comma-separated list of zero or more names"; again, this doesn't seem to rule out a leading comma. Going by the principle of "be liberal in what you accept", I believe ssh should handle this case. Indeed, putty (a fairly old version, 0.57) handles it, and it's possible to log on to the appliance. I attach a suggested patch.
What is the endpoint that is exhibiting this behaviour?
BTW zero-length name entries a name-list are expressly prohibited by RFC4251: A string containing a comma-separated list of names. A name-list is represented as a uint32 containing its length (number of bytes that follow) followed by a comma-separated list of zero or more names. A name MUST have a non-zero length, and it MUST NOT ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ contain a comma (","). As this is a list of names, all of the elements contained are names and MUST be in US-ASCII.
It's a Netscreen firewall. It only exhibits this behaviour when we try to log in to the admin account, and we intend to change the config to allow publickey,password authentication.
I still maintain it's possible to interpret ",password" as one name, not as two with one having zero length.
(In reply to comment #4) > I still maintain it's possible to interpret ",password" as one name, > not as two with one having zero length. The comma is a separator. What's it separating?
(In reply to comment #4) > I still maintain it's possible to interpret ",password" as one name, > not as two with one having zero length. A string containing a comma-separated list of names. A name-list is represented as a uint32 containing its length (number of bytes that follow) followed by a comma-separated list of zero or more names. A name MUST have a non-zero length, and it MUST NOT ^^^^^^^^^^^^^^^ contain a comma (","). As this is a list of names, all of the ^^^^^^^^^^^^^^^^^^^^^^ elements contained are names and MUST be in US-ASCII.
Close resolved bugs after release.