tomaswolf commented on issue #283: URL: https://github.com/apache/mina-sshd/issues/283#issuecomment-1344729301
@gnodet : do you remember what the original intent of this property `CoreModuleProperties.PASSWORD_PROMPTS` was? When I follow the git history, I end up at commit 65e03207 and [SSHD-302](https://issues.apache.org/jira/browse/SSHD-302), both from 2014. They don't give any context or motivation. Currently it appears to be a global count of SSH_MSG_USERAUTH_INFO_REQUEST received from the server, and thus a guard against [RFC 4256, section 3.2](https://www.rfc-editor.org/rfc/rfc4256): "The server may send as many requests as are necessary to authenticate the client;..." (a malicious or broken server might just keep sending them). However, the implementation also uses it to limit the number of times a SSH_MSG_USERAUTH_REQUEST message is sent. Which has an off-by-one error, and which makes only sense if the server sends only one SSH_MSG_USERAUTH_INFO_REQUEST with prompts per request. It does _not_ appear an implementation of the ssh config NumberOfPasswordPrompts, as both the reporter and me obviously had thought. (Despite the name, OpenSSH uses the NumberOfPasswordPrompts to limit the number of password or keyboard-interactive _attempts_, i.e., the sending of SSH_MSG_USERAUTH_REQUEST messages.) Apache MINA SSHD doesn't seem to have anything for that. `UserAuthPassword` also doesn't use the `CoreModuleProperties.PASSWORD_PROMPTS` at all. So what was the intention here? If we want to guard against a malicious server in keyboard-interactive auth, then `CoreModuleProperties.PASSWORD_PROMPTS` should keep counting and limiting handling SSH_MSG_USERAUTH_INFO_REQUEST. But then there should be a separate `CoreModuleProperties.PASSWORD_ATTEMPTS` to limit the number of attempts (sending of SSH_MSG_USERAUTH_REQUEST for both password and keyboard-interactive, counted separately). The latter would then indeed correspond to the OpenSSH NumberOfPasswordPrompts ssh config. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
