You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Guillaume Nodet (JIRA)" <ji...@apache.org> on 2014/10/16 10:30:34 UTC
[jira] [Updated] (SSHD-254) Public key authentication triggers
'Authenticated with partial success.' message on client
[ https://issues.apache.org/jira/browse/SSHD-254?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Guillaume Nodet updated SSHD-254:
---------------------------------
Fix Version/s: 0.9.1
> Public key authentication triggers 'Authenticated with partial success.' message on client
> ------------------------------------------------------------------------------------------
>
> Key: SSHD-254
> URL: https://issues.apache.org/jira/browse/SSHD-254
> Project: MINA SSHD
> Issue Type: Improvement
> Affects Versions: 0.9.0
> Reporter: Michael Heemskerk
> Assignee: Guillaume Nodet
> Priority: Minor
> Fix For: 0.10.0, 0.9.1
>
>
> When I use public key authentication against 0.9.0, I always get a 'Authenticated with partial success.' message in my console. Authentication succeeds in the end, but it looks funny.
> Here's a debug trace:
> ~/tmp ᐅ ssh -vv -p 7999 localhost whoami
> OpenSSH_5.9p1, OpenSSL 0.9.8x 10 May 2012
> debug1: Reading configuration data /etc/ssh_config
> debug1: /etc/ssh_config line 20: Applying options for *
> debug1: /etc/ssh_config line 53: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to localhost [::1] port 7999.
> debug1: Connection established.
> debug1: identity file /Users/michael/.ssh/id_rsa type 1
> debug1: identity file /Users/michael/.ssh/id_rsa-cert type -1
> debug1: identity file /Users/michael/.ssh/id_dsa type -1
> debug1: identity file /Users/michael/.ssh/id_dsa-cert type -1
> debug1: Remote protocol version 2.0, remote software version SSHD-CORE-0.10.0-SNAPSHOT
> debug1: no match: SSHD-CORE-0.10.0-SNAPSHOT
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.9
> debug2: fd 5 setting O_NONBLOCK
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-dss
> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa
> debug2: kex_parse_kexinit: aes128-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
> debug2: kex_parse_kexinit: aes128-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-md5-96,hmac-sha1-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-md5-96,hmac-sha1-96
> debug2: kex_parse_kexinit: none
> debug2: kex_parse_kexinit: none
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: found hmac-md5
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug2: mac_setup: found hmac-md5
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug2: dh_gen_key: priv key bits set: 127/256
> debug2: bits set: 1040/2048
> debug1: sending SSH2_MSG_KEXDH_INIT
> debug1: expecting SSH2_MSG_KEXDH_REPLY
> debug1: Server host key: RSA d4:87:fd:a6:6c:a3:3d:fc:e9:84:b8:2c:3d:e7:f8:1f
> debug1: Host '[localhost]:7999' is known and matches the RSA host key.
> debug1: Found key in /Users/michael/.ssh/known_hosts:16
> debug2: bits set: 1019/2048
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: Roaming not allowed by server
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /Users/michael/.ssh/id_rsa (0x7f86b1c1d2f0)
> debug2: key: /Users/michael/.ssh/id_dsa (0x0)
> Authenticated with partial success.
> debug1: Authentications that can continue: publickey
> debug1: Next authentication method: publickey
> debug1: Offering RSA public key: /Users/michael/.ssh/id_rsa
> debug2: we sent a publickey packet, wait for reply
> debug1: Server accepts key: pkalg ssh-rsa blen 277
> debug2: input_userauth_pk_ok: fp 76:18:ae:a5:c5:64:3f:c0:da:68:e1:c6:0d:3b:ce:19
> debug1: Authentication succeeded (publickey).
> Authenticated to localhost ([::1]:7999).
> debug1: channel 0: new [client-session]
> debug2: channel 0: send open
> debug1: Entering interactive session.
> debug2: callback start
> debug2: client_session2_setup: id 0
> debug2: fd 5 setting TCP_NODELAY
> debug1: Sending environment.
> debug1: Sending env LANG = en_AU.UTF-8
> debug2: channel 0: request env confirm 0
> debug1: Sending env LC_CTYPE = en_AU.UTF-8
> debug2: channel 0: request env confirm 0
> debug1: Sending command: whoami
> debug2: channel 0: request exec confirm 1
> debug2: callback done
> debug2: channel 0: open confirm rwindow 2097152 rmax 32768
> debug2: channel_input_status_confirm: type 99 id 0
> debug2: exec request accepted on channel 0
> admin
> debug2: channel 0: rcvd eof
> debug2: channel 0: output open -> drain
> debug2: channel 0: obuf empty
> debug2: channel 0: close_write
> debug2: channel 0: output drain -> closed
> debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
> debug2: channel 0: rcvd close
> debug2: channel 0: close_read
> debug2: channel 0: input open -> closed
> debug2: channel 0: almost dead
> debug2: channel 0: gc: notify user
> debug2: channel 0: gc: user detached
> debug2: channel 0: send close
> debug2: channel 0: is dead
> debug2: channel 0: garbage collecting
> debug1: channel 0: free: client-session, nchannels 1
> Transferred: sent 2648, received 1928 bytes, in 0.0 seconds
> Bytes per second: sent 364829.9, received 265631.4
> debug1: Exit status 0
> After a bit of debugging and reading up on the SSH Authentication Protocol, I think I've found the problem. When the initial SSH_MSG_USERAUTH_REQUEST comes in for method "none", ServerSession.userAuth correctly fails the authentication. But it sends back a SSH_MSG_USERAUTH_FAILURE packet with 'partial success' set to true.
> I think this should be false (it was in the previous version we were using - 0.7). The code in question is here: https://github.com/apache/mina-sshd/blob/46ea09302ec1556b95474ae36337369e9c973c36/sshd-core/src/main/java/org/apache/sshd/server/session/ServerSession.java#L541
> That 1 should be a 0
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)