[jira] [Updated] (SSHD-611) Servers rejecting keyboard-interactive authentication not handled

JIRA Wed, 09 Dec 2015 08:19:14 -0800

     [ 
https://issues.apache.org/jira/browse/SSHD-611?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Oliver Stöneberg updated SSHD-611:
----------------------------------
    Attachment: putty_core_keyboard-interactive_rejection.log

I added the putty log for one of the servers. It seems if I encountered a 
failure it just moves on to the next authentication method.

I checked RFC 4252 section 5.1 and it says

The client MAY send several authentication requests without waiting
   for responses from previous requests.  The server MUST process each
   request completely and acknowledge any failed requests with a
   SSH_MSG_USERAUTH_FAILURE message before processing the next request.

So it seems fine to just move on if you get SSH_MSG_USERAUTH_FAILURE. Checking 
RFC 4256 section 3.1 I don't see any mention that has has to send a subsequent 
info request after failure. It's either one or the other judging from

The server MUST reply with an SSH_MSG_USERAUTH_SUCCESS,
   SSH_MSG_USERAUTH_FAILURE, or SSH_MSG_USERAUTH_INFO_REQUEST message.

An info would only happen if it actually wants to do keyboard-interactive in 
that case.

> Servers rejecting keyboard-interactive authentication not handled
> -----------------------------------------------------------------
>
>                 Key: SSHD-611
>                 URL: https://issues.apache.org/jira/browse/SSHD-611
>             Project: MINA SSHD
>          Issue Type: Bug
>            Reporter: Oliver Stöneberg
>         Attachments: putty_core_keyboard-interactive_rejection.log, 
> sshd-core_keyboard-interactive_rejection.txt
>
>
> I am trying to communicate with a server that advertises keyboard-interactive 
> authentication but it fails with "Too many authentication failures". When the 
> client sends the request it gets a failure and requests it again and again 
> until it hits the maximum retries value. It also never reaches the 
> UserInteraction object that was assigned to the client. It seems when the 
> request fails it should move on to the next authentication method.
> Here's the output of sshd-core:
> DEBUG [sshd-SshClient[48c40605]-nio2-thread-1] 
> (ClientUserAuthService.java:234) 
> tryNext(ClientSessionImpl[root@/10.48.43.215:22]) attempting 
> method=keyboard-interactive
> DEBUG [sshd-SshClient[48c40605]-nio2-thread-1] 
> (UserAuthKeyboardInteractive.java:110) 
> process(root@ClientSessionImpl[root@/10.48.43.215:22])[ssh-connection] Send 
> SSH_MSG_USERAUTH_REQUEST for keyboard-interactive
> TRACE [sshd-SshClient[48c40605]-nio2-thread-1] (AbstractSession.java:862) 
> encode(ClientSessionImpl[root@/10.48.43.215:22]) Sending packet #5: 32 00 00 
> 00 04 72 6f 6f 74 00 00 00 0e 73 73 68 2d 63 6f 6e 6e 65 63 74 69 6f 6e 00 00 
> 00 14 6b 65 79 62 6f 61 72 64 2d 69 6e 74 65 72 61 63 74 69 76 65 00 00 00 00 
> 00 00 00 00
> DEBUG [sshd-SshClient[48c40605]-nio2-thread-1] (Nio2Session.java:114) Writing 
> 100 bytes
> DEBUG [sshd-SshClient[48c40605]-nio2-thread-4] (Nio2Session.java:274) 
> Finished writing
> DEBUG [sshd-SshClient[48c40605]-nio2-thread-5] (Nio2Session.java:223) Read 84 
> bytes
> TRACE [sshd-SshClient[48c40605]-nio2-thread-5] (AbstractSession.java:1003) 
> decode(ClientSessionImpl[root@/10.48.43.215:22]) Received packet #6: 33 00 00 
> 00 27 70 75 62 6c 69 63 6b 65 79 2c 70 61 73 73 77 6f 72 64 2c 6b 65 79 62 6f 
> 61 72 64 2d 69 6e 74 65 72 61 63 74 69 76 65 00
> TRACE [sshd-SshClient[48c40605]-nio2-thread-5] (AbstractSession.java:415) 
> doHandleMessage(ClientSessionImpl[root@/10.48.43.215:22]) process 
> SSH_MSG_USERAUTH_FAILURE
> DEBUG [sshd-SshClient[48c40605]-nio2-thread-5] 
> (ClientUserAuthService.java:181) 
> processUserAuth(ClientSessionImpl[root@/10.48.43.215:22]) Received 
> SSH_MSG_USERAUTH_FAILURE - partial=false, 
> methods=publickey,password,keyboard-interactive
> Here's the putty output:
> Outgoing packet #0x4, type 5 / 0x05 (SSH2_MSG_SERVICE_REQUEST)
>   00000000  00 00 00 0c 73 73 68 2d 75 73 65 72 61 75 74 68  ....ssh-userauth
> Incoming packet #0x4, type 6 / 0x06 (SSH2_MSG_SERVICE_ACCEPT)
>   00000000  00 00 00 0c 73 73 68 2d 75 73 65 72 61 75 74 68  ....ssh-userauth
> Outgoing packet #0x5, type 50 / 0x32 (SSH2_MSG_USERAUTH_REQUEST)
>   00000000  00 00 00 04 72 6f 6f 74 00 00 00 0e 73 73 68 2d  ....root....ssh-
>   00000010  63 6f 6e 6e 65 63 74 69 6f 6e 00 00 00 04 6e 6f  connection....no
>   00000020  6e 65                                            ne
> Incoming packet #0x5, type 51 / 0x33 (SSH2_MSG_USERAUTH_FAILURE)
>   00000000  00 00 00 27 70 75 62 6c 69 63 6b 65 79 2c 70 61  ...'publickey,pa
>   00000010  73 73 77 6f 72 64 2c 6b 65 79 62 6f 61 72 64 2d  ssword,keyboard-
>   00000020  69 6e 74 65 72 61 63 74 69 76 65 00              interactive.
> Outgoing packet #0x6, type 50 / 0x32 (SSH2_MSG_USERAUTH_REQUEST)
>   00000000  00 00 00 04 72 6f 6f 74 00 00 00 0e 73 73 68 2d  ....root....ssh-
>   00000010  63 6f 6e 6e 65 63 74 69 6f 6e 00 00 00 14 6b 65  connection....ke
>   00000020  79 62 6f 61 72 64 2d 69 6e 74 65 72 61 63 74 69  yboard-interacti
>   00000030  76 65 00 00 00 00 00 00 00 00                    ve........
> Event Log: Attempting keyboard-interactive authentication
> Incoming packet #0x6, type 51 / 0x33 (SSH2_MSG_USERAUTH_FAILURE)
>   00000000  00 00 00 27 70 75 62 6c 69 63 6b 65 79 2c 70 61  ...'publickey,pa
>   00000010  73 73 77 6f 72 64 2c 6b 65 79 62 6f 61 72 64 2d  ssword,keyboard-
>   00000020  69 6e 74 65 72 61 63 74 69 76 65 00              interactive.
> Event Log: Server refused keyboard-interactive authentication
> Outgoing packet #0x7, type 50 / 0x32 (SSH2_MSG_USERAUTH_REQUEST)
>   00000000  00 00 00 04 72 6f 6f 74 00 00 00 0e 73 73 68 2d  ....root....ssh-
>   00000010  63 6f 6e 6e 65 63 74 69 6f 6e 00 00 00 08 70 61  connection....pa
>   00000020  73 73 77 6f 72 64 00 XX XX XX XX XX XX XX XX XX  ssword.XXXXXXXXX
>   00000030  XX XX XX                                         XXX
> Outgoing packet #0x8, type 2 / 0x02 (SSH2_MSG_IGNORE)
>   00000000  00 00 00 a0 dd aa 67 0a 8d 42 d0 2a 5c 82 1e 5e  ......g..B.*\..^
>   00000010  ef 3b 9f 2a c2 5d 71 8a 28 ff 5d ca 1f 28 94 20  .;.*.]q.(.]..(. 
>   00000020  ec f4 2d dd 34 dc cf 99 94 da c1 40 7d a4 d9 09  ..-.4......@}...
>   00000030  0e 7c 15 f6 01 56 6b e8 a4 3c 45 a6 c9 bd 00 e3  .|...Vk..<E.....
>   00000040  73 e1 36 85 61 09 2f 8f d6 a9 61 ce 58 d6 3f dc  s.6.a./...a.X.?.
>   00000050  39 be b2 fd 5b a8 2d a9 46 d8 86 dc 12 cf 0b 82  9...[.-.F.......
>   00000060  43 37 4f bf 39 f7 90 e9 6f 52 4e 36 50 8d 9b 67  C7O.9...oRN6P..g
>   00000070  b5 7a b3 c3 f5 f2 56 40 b4 75 de 71 1f 22 ff 2f  .z....V@.u.q."./
>   00000080  00 0c 89 06 4f 20 44 fe 65 55 02 73 76 22 64 e2  ....O D.eU.sv"d.
>   00000090  11 14 ef 34 24 6f 5f 3f 61 95 d3 d1 c1 68 11 5e  ...4$o_?a....h.^
>   000000a0  ff 29 f9 31                                      .).1
> Event Log: Sent password
> Incoming packet #0x7, type 52 / 0x34 (SSH2_MSG_USERAUTH_SUCCESS)
> Event Log: Access granted
> I am using 28faad4 of master.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (SSHD-611) Servers rejecting keyboard-interactive authentication not handled

Reply via email to