On Wed, 10 Sep 2025, Damien Miller wrote: > On Tue, 9 Sep 2025, Nicola Murino wrote: > > > Hello, > > > > some users of the Go x/crypto/ssh library have recently reported that, > > unlike OpenSSH, the Go implementation does not handle multiple > > SSH_MSG_SERVICE_REQUEST messages. > > > > More details can be found here: > > > > https://github.com/golang/go/issues/75268 > > > > According to RFC 4253, Section 10, an SSH_MSG_SERVICE_REQUEST is > > expected after the key exchange, after which the flow described in RFC > > 4252 should be followed. > > The Go library strictly follows this sequence, which is causing > > compatibility issues with the Paramiko Python library when configured to > > reuse the same connection. > > IMO OpenSSH is wrong here - it shouldn't allow multiple SERVICE_REQUEST > Paramiko is wrong for sending them. It should send a single > SERVICE_REQUEST followed by as many USERAUTH_REQUEST as necessary. IMO the relevant RFC text that indicates that there should only be a single SERVICE_REQUEST for ssh-userauth is in RFC4251 section 1: > The client sends a service request once a secure transport layer > connection has been established. A second service request is sent > after user authentication is complete. This allows new protocols to > be defined and coexist with the protocols listed above. If a second SERVICE_REQUEST is sent after authentication then this precludes multiple SERVICE_REQUESTS being sent during authentication. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
