-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssh: Receiving SSH_MSG_USERAUTH_BANNER causes a protocol error #9065
Comments
In order to make this easier to test one could add an undocumented feature to the server role to allow that a banner can be sent in the situations of the reproduction. Maybe in the future could be helpful for somebody and if so we could document it. |
we planned looking on that password expiry scenario. have you used some other ssh server implementation for verifying this? which implementations are sending this banner and are on your list? asking so that we can use it as a reference during development and testing. |
I don't know the technologies behind it, but we have reports of this from devices from Huawei and Affirmed. We have the openssh log from those devices and it's something like this:
I confirmed with the openssh client that the patched Erlang server works good. So the hacked erlang server is doing something reasonable. I've seen that As I mentioned before, I think the easiest way of having tests for this is to have the erlang server sending userauth banners. It could be a callback called auth_successful_banner. I understand that you'd like to validate this with other implementations but unfortunately I haven't found any so I can't help with that. I can help with the implementation of the fix and the testing, as long as we agree on what we want/need. |
? can or can't ? :-) |
"can" of course :D. I will edit the original message to make it easier for future readers. |
Yes we would like to be more conservative and check explicitly for state name (I guess it is only keyboard-interactive missing). Also including Can you capture For testing, I'm not yet sure if it is worth having undocumented option just for that. Let us pause this for a while. |
That’s how I ended up implementing internally. I’ll open the PR shortly. I don’t have access to any of thoses devices unfortunately so I can’t provide you any more than the openssh debug output. With regards to the option to send a banner I have realised we have an internal patch to be able to send a banner at the start of the authentication (just like openssh can do). I am happy to contribute that feature and augment it with the banner at the end of the authentication. It’s perhaps better if I just open a draft PR with it so you can have a look if it’s interesting, it’s quite simple. I will explore that alternative that you suggested for testing of the PR I am opening to solve this issue. |
SSH servers can send userauth banners at any time during authentication and the erlang SSH client only accepted userauth banners in some limited circumstances. Closes erlang#9065
Yes. If you have code at hand, it would be great to have a look and decide then. Typically we're interested with aligning functionality with OpenSSH.
|
SSH servers can send userauth banners at any time during authentication and the erlang SSH client only accepted userauth banners in some limited circumstances. Closes erlang#9065
@u3s I have opened #9149 that adds enables the server to send a SSH_MSG_USERAUTH_BANNER at the beginning of the authentication. I realised our implementation was not 100% correct so I add to re-implement the feature. If you want I am happy to extend it with the possibility of sending the SSH_MSG_USERAUTH_BANNER at the end of the authentication. I would use 2 separate functions for it, |
I will now look at |
Describe the bug
RFC4252 (https://www.ietf.org/rfc/rfc4252.txt) states that:
"The SSH server may send an SSH_MSG_USERAUTH_BANNER message at any
time after this authentication protocol starts and before
authentication is successful."
While the most common use case, and the only one that openssh daemon uses, is to send the banner as a response to the first userauth message we manage to find some implementations that use this phrasing of the RFC to send a banner just before the authentication terminates in order to notify the user that the password is about to expiry.
OpenSSH accepts this without a problem but the erlang ssh client implementation doesn't handle this and we end up in the catch all clause of the ssh_connection_handler which will terminate the connection with protocol error.
To Reproduce
In order to reproduce this one can change the erlang server implementation by applying the following patch:
Then if you force the erlang client and server to user keyboard-interactive as authentication method you'll see the protocol error.
Expected behavior
I believe it's not harmful for the client to just process any banner during userauth so something like this could make sense:
If you want to be more conservative one can just process the banner in a slimmer set of states.
Affected versions
At least from OTP 22 until OTP 27, probably earlier
The text was updated successfully, but these errors were encountered: