You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Thomas Wolf (JIRA)" <ji...@apache.org> on 2018/11/16 13:14:00 UTC
[jira] [Created] (SSHD-866) Keyboard-interactive protocol
implementation aborts too early
Thomas Wolf created SSHD-866:
--------------------------------
Summary: Keyboard-interactive protocol implementation aborts too early
Key: SSHD-866
URL: https://issues.apache.org/jira/browse/SSHD-866
Project: MINA SSHD
Issue Type: Bug
Affects Versions: 2.0.0
Reporter: Thomas Wolf
Keyboard-interactive authentication counts _all_ SSH_MSG_USERAUTH_INFO_REQUESTs against the {{maxTrials}} limit. However, the protocol as specified in [RFC 4256|https://tools.ietf.org/html/rfc4256] allows for info requests without prompts, to which the client must also respond. Such requests should not count towards the {{maxTrials}} limit.
This is a real-world problem. For instance the sshd server on my Mac replies which such a zero-prompt info request before it sends the SSH_MSG_USERAUTH_SUCCESS. So with the default {{maxTries == 3}}, a login attempt via an sshd using {{UserAuthKeyboardInteractive}} fails if I mis-type the password twice and provide the correct password on the third try because then the zero-prompt info request will be the _fourth_ info request and {{UserAuthKeyboardInteractive}} therefore aborts.
Here's a log snippet from a normal login _not_ via sshd, which succeeds:
$ ssh -vvv myself@localhost
...
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password: _<attempt *1*: wrong password entered>_
debug3: send packet: type 61
debug3: receive packet: type 51
debug1: Authentications that can continue: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password: _<attempt *2*: wrong password entered>_
debug3: send packet: type 61
debug3: receive packet: type 51
debug1: Authentications that can continue: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password: _<attempt *3*: correct password entered>_
debug3: send packet: type 61
debug3: {color:#ff0000}receive packet: type 60{color}
debug2: {color:#ff0000}input_userauth_info_req{color}
debug2: {color:#ff0000}input_userauth_info_req: _num_prompts 0_{color}
debug3: {color:#ff0000}send packet: type 61{color}
debug3: receive packet: type 52
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to localhost ([::1]:22).
...
If I do the same with an sshd client, authentication fails because of the {color:#ff0000}red{color} _fourth_ info request. RFC 4256 contains an example showing such an additional zero-prompt info request, though not for a normal authentication but for a password change. But it appears that it can also occur on normal authentications.
So I think only info requests with {{num_prompts > 0}} should count towards {{maxTrials}}.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)