Il 10/09/25 01:02, Damien Miller ha scritto:
On Wed, 10 Sep 2025, Damien Miller wrote:
On Tue, 9 Sep 2025, Nicola Murino wrote:
Hello,
some users of the Go x/crypto/ssh library have recently reported that,
unlike OpenSSH, the Go implementation does not handle multiple
SSH_MSG_SERVICE_REQUEST messages.
More details can be found here:
https://github.com/golang/go/issues/75268
According to RFC 4253, Section 10, an SSH_MSG_SERVICE_REQUEST is
expected after the key exchange, after which the flow described in RFC
4252 should be followed.
The Go library strictly follows this sequence, which is causing
compatibility issues with the Paramiko Python library when configured to
reuse the same connection.
IMO OpenSSH is wrong here - it shouldn't allow multiple SERVICE_REQUEST
Paramiko is wrong for sending them. It should send a single
SERVICE_REQUEST followed by as many USERAUTH_REQUEST as necessary.
IMO the relevant RFC text that indicates that there should only be a
single SERVICE_REQUEST for ssh-userauth is in RFC4251 section 1:
thank you! I really appreciate the quick reply and for pointing out the
relevant specs,
Nicola
The client sends a service request once a secure transport layer
connection has been established. A second service request is sent
after user authentication is complete. This allows new protocols to
be defined and coexist with the protocols listed above.
If a second SERVICE_REQUEST is sent after authentication then this
precludes multiple SERVICE_REQUESTS being sent during authentication.
-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
