Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proposal: x/crypto/ssh: expose missing none authmethod #62657

Open
tg123 opened this issue Sep 15, 2023 · 12 comments
Open

proposal: x/crypto/ssh: expose missing none authmethod #62657

tg123 opened this issue Sep 15, 2023 · 12 comments
Labels
Proposal Proposal-Crypto Proposal related to crypto packages or other security issues
Milestone
Proposal

Comments

@tg123
Copy link

tg123 commented Sep 15, 2023

no api to generate none AuthMethod
expose none to public
@tg123 tg123 added the Proposal label Sep 15, 2023
@gopherbot gopherbot added this to the Proposal milestone Sep 15, 2023
@tg123 tg123 mentioned this issue Sep 15, 2023
Closed
@seankhliao seankhliao changed the title proposal: x/crypto/ssh expose missing none authmethod proposal: x/crypto/ssh: expose missing none authmethod Sep 15, 2023
@seankhliao seankhliao added the Proposal-Crypto Proposal related to crypto packages or other security issues label Sep 15, 2023
@ianlancetaylor
Copy link
Member

In https://go.dev/cl/528637 the suggested API is

// None return an AuthMethod using "none" authentication defined in RFC 4252 section 5.2.
func None() AuthMethod {

@ianlancetaylor ianlancetaylor moved this to Incoming in Proposals Sep 15, 2023
@tg123
Copy link
Author

tg123 commented Sep 15, 2023

golang/crypto#272

@hanwen
Copy link
Contributor

hanwen commented Sep 21, 2023

Can you explain why you want to expose the None authmethod? TestClientAuthNone shows how to use the None auth method; it doesn't need client-side configuration.

@tg123
Copy link
Author

tg123 commented Sep 23, 2023

@hanwen allow client side to send non-auth on their own like password or key
for example, send non after password. this is useful in special client impl

@drakkan
Copy link
Member

drakkan commented Sep 24, 2023

@tg123 thanks for this proposal, can you please provide a real use case for this? For example a server that requires sending the none auth method after the password.

The none auth method is generally used initially just to list the authentication methods that can continue and this is what we already do in our client implementation. As you can see here, none auth is implicitly added to the configured authentication methods.

@ShimantaKB-Tunnel
Copy link

@tg123 thanks for this proposal, can you please provide a real use case for this? For example a server that requires sending the none auth method after the password.

The none auth method is generally used initially just to list the authentication methods that can continue and this is what we already do in our client implementation. As you can see here, none auth is implicitly added to the configured authentication methods.

If there a way to control the auth to 'not' perform the none auth method, if we already know the list of auth methods the server allows? If the server disallows none auth method, and also doesn't return the auth methods it allows, the auth fails with only the none auth method attempted.

@hanwen
Copy link
Contributor

hanwen commented Nov 5, 2024

If there a way to control the auth to 'not' perform the none auth method

what are you trying to do? Why do you need this?

@ShimantaKB-Tunnel
Copy link

ShimantaKB-Tunnel commented Nov 5, 2024
edited
Loading

If there a way to control the auth to 'not' perform the none auth method

what are you trying to do? Why do you need this?

I am using the ssh module to connect and authenticate to an FTP server, using public key authentication method.
The server is disallowing the none auth method, and also doesn't return the auth methods it allows, so the auth fails with only the none auth method attempted.
The ssh.Dial call fails with this error, which shows that the public key auth was not even attempted
ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain

Here's the method in my application which performs the auth :

func (s TestConnectionService) authWithPublicKey(username string, key string, hostname string, hostkey string, port string, request_id string) (*sftp.Client, error) {
	err := s.testDialWithPubKeyAuth(username, key, hostname, hostkey, port, request_id)
	if err != nil {
		return &sftp.Client{}, err
	}

	hostKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(hostkey))
	if err != nil {
		s.zapLogger.Error(dto.LogMessageDTO{
			Request_id: request_id,
			Fun_name:   "authWithPublicKey",
			Class_name: "TestConnectionService",
			Err:        err,
			Message:    "Failed parsing host key",
		})
		return &sftp.Client{}, err
	}

	signer, err := ssh.ParsePrivateKey([]byte(key))
	if err != nil {
		s.zapLogger.Error(dto.LogMessageDTO{
			Request_id: request_id,
			Fun_name:   "authWithPublicKey",
			Class_name: "TestConnectionService",
			Err:        err,
			Message:    "Failed to parse private key",
		})
		return &sftp.Client{}, err
	}

	// Create custom banner callback that ignores the banner
	bannerCallback := func(message string) error {
		return nil
	}

	// Open SFTP connection
	config := &ssh.ClientConfig{
		User: username,
		Auth: []ssh.AuthMethod{
			ssh.PublicKeys(signer),
		},
		HostKeyCallback:   ssh.FixedHostKey(hostKey),
		HostKeyAlgorithms: []string{ssh.KeyAlgoRSA, ssh.KeyAlgoRSASHA256, ssh.KeyAlgoRSASHA512},
		BannerCallback:    bannerCallback,
	}

	conn, err := ssh.Dial("tcp", hostname+":"+port, config)
	if err != nil {
		s.zapLogger.Error(dto.LogMessageDTO{
			Request_id: request_id,
			Fun_name:   "authWithPublicKey",
			Class_name: "TestConnectionService",
			Err:        err,
			Message:    "Failed to dial",
		})
		return &sftp.Client{}, err
	}

	client, err := sftp.NewClient(conn)
	if err != nil {
		s.zapLogger.Error(dto.LogMessageDTO{
			Request_id: request_id,
			Fun_name:   "authWithPublicKey",
			Class_name: "TestConnectionService",
			Err:        err,
			Message:    "Failed to create SFTP client",
		})
		return &sftp.Client{}, err
	}

	return client, nil
}

Looking at the clientAuthenticate method in ssh.client_auth.go, the other auth methods passed in the config are not tried if there are no methods returned in the initial none auth attempt. Please advise if my understanding is incorrect:

// during the authentication phase the client first attempts the "none" method
	// then any untried methods suggested by the server.
	var tried []string
	var lastMethods []string

	sessionID := c.transport.getSessionID()
	for auth := AuthMethod(new(noneAuth)); auth != nil; {
		ok, methods, err := auth.auth(sessionID, config.User, c.transport, config.Rand, extensions)
		if err != nil {
			// We return the error later if there is no other method left to
			// try.
			ok = authFailure
		}
		if ok == authSuccess {
			// success
			return nil
		} else if ok == authFailure {
			if m := auth.method(); !contains(tried, m) {
				tried = append(tried, m)
			}
		}
		if methods == nil {
			methods = lastMethods
		}
		lastMethods = methods

		auth = nil

	findNext:
		for _, a := range config.Auth {
			candidateMethod := a.method()
			if contains(tried, candidateMethod) {
				continue
			}
			for _, meth := range methods {
				if meth == candidateMethod {
					auth = a
					break findNext
				}
			}
		}

		if auth == nil && err != nil {
			// We have an error and there are no other authentication methods to
			// try, so we return it.
			return err
		}
	}
	return fmt.Errorf("ssh: unable to authenticate, attempted methods %v, no supported methods remain", tried)

@drakkan
Copy link
Member

drakkan commented Nov 5, 2024

If there a way to control the auth to 'not' perform the none auth method

what are you trying to do? Why do you need this?

I am using the ssh module to connect and authenticate to an FTP server, using public key authentication method. The server is disallowing the none auth method, and also doesn't return the auth methods it allows, so the auth fails with only the none auth method attempted. The ssh.Dial call fails with this error, which shows that the public key auth was not even attempted ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain

Here's the method which performs the auth :

func (s TestConnectionService) authWithPublicKey(username string, key string, hostname string, hostkey string, port string, request_id string) (*sftp.Client, error) {
	err := s.testDialWithPubKeyAuth(username, key, hostname, hostkey, port, request_id)
	if err != nil {
		return &sftp.Client{}, err
	}

	hostKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(hostkey))
	if err != nil {
		s.zapLogger.Error(dto.LogMessageDTO{
			Request_id: request_id,
			Fun_name:   "authWithPublicKey",
			Class_name: "TestConnectionService",
			Err:        err,
			Message:    "Failed parsing host key",
		})
		return &sftp.Client{}, err
	}

	signer, err := ssh.ParsePrivateKey([]byte(key))
	if err != nil {
		s.zapLogger.Error(dto.LogMessageDTO{
			Request_id: request_id,
			Fun_name:   "authWithPublicKey",
			Class_name: "TestConnectionService",
			Err:        err,
			Message:    "Failed to parse private key",
		})
		return &sftp.Client{}, err
	}

	// Create custom banner callback that ignores the banner
	bannerCallback := func(message string) error {
		return nil
	}

	// Open SFTP connection
	config := &ssh.ClientConfig{
		User: username,
		Auth: []ssh.AuthMethod{
			ssh.PublicKeys(signer),
		},
		HostKeyCallback:   ssh.FixedHostKey(hostKey),
		HostKeyAlgorithms: []string{ssh.KeyAlgoRSA, ssh.KeyAlgoRSASHA256, ssh.KeyAlgoRSASHA512},
		BannerCallback:    bannerCallback,
	}

	conn, err := ssh.Dial("tcp", hostname+":"+port, config)
	if err != nil {
		s.zapLogger.Error(dto.LogMessageDTO{
			Request_id: request_id,
			Fun_name:   "authWithPublicKey",
			Class_name: "TestConnectionService",
			Err:        err,
			Message:    "Failed to dial",
		})
		return &sftp.Client{}, err
	}

	client, err := sftp.NewClient(conn)
	if err != nil {
		s.zapLogger.Error(dto.LogMessageDTO{
			Request_id: request_id,
			Fun_name:   "authWithPublicKey",
			Class_name: "TestConnectionService",
			Err:        err,
			Message:    "Failed to create SFTP client",
		})
		return &sftp.Client{}, err
	}

	return client, nil
}

Can OpenSSH connect to this server? If so, please post the output of ssh -vvvvv ..... Thank you

@tg123
Copy link
Author

tg123 commented Nov 5, 2024

as a library, it is better to have flexibility to create a server and client does not follow RFC auth process,
for example:
client sends 3 * none in a row, server: welcome
it is scanner safe and passwordless 🤣

@hanwen
Copy link
Contributor

hanwen commented Nov 5, 2024

RFC 4252:

If no authentication is needed for the user, the server MUST return SSH_MSG_USERAUTH_SUCCESS. Otherwise, the server MUST return SSH_MSG_USERAUTH_FAILURE and MAY return with it a list of methods that may continue in its 'authentications that can continue' value.

This means that things should continue to work if the list of methods is not returned from the 'none' auth. I support this change, but it is different from the proposal that is discussed here. Open a new issue?

@ShimantaKB-Tunnel
Copy link

If there a way to control the auth to 'not' perform the none auth method

what are you trying to do? Why do you need this?

I am using the ssh module to connect and authenticate to an FTP server, using public key authentication method. The server is disallowing the none auth method, and also doesn't return the auth methods it allows, so the auth fails with only the none auth method attempted. The ssh.Dial call fails with this error, which shows that the public key auth was not even attempted ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain
Here's the method which performs the auth :

func (s TestConnectionService) authWithPublicKey(username string, key string, hostname string, hostkey string, port string, request_id string) (*sftp.Client, error) {
	err := s.testDialWithPubKeyAuth(username, key, hostname, hostkey, port, request_id)
	if err != nil {
		return &sftp.Client{}, err
	}

	hostKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(hostkey))
	if err != nil {
		s.zapLogger.Error(dto.LogMessageDTO{
			Request_id: request_id,
			Fun_name:   "authWithPublicKey",
			Class_name: "TestConnectionService",
			Err:        err,
			Message:    "Failed parsing host key",
		})
		return &sftp.Client{}, err
	}

	signer, err := ssh.ParsePrivateKey([]byte(key))
	if err != nil {
		s.zapLogger.Error(dto.LogMessageDTO{
			Request_id: request_id,
			Fun_name:   "authWithPublicKey",
			Class_name: "TestConnectionService",
			Err:        err,
			Message:    "Failed to parse private key",
		})
		return &sftp.Client{}, err
	}

	// Create custom banner callback that ignores the banner
	bannerCallback := func(message string) error {
		return nil
	}

	// Open SFTP connection
	config := &ssh.ClientConfig{
		User: username,
		Auth: []ssh.AuthMethod{
			ssh.PublicKeys(signer),
		},
		HostKeyCallback:   ssh.FixedHostKey(hostKey),
		HostKeyAlgorithms: []string{ssh.KeyAlgoRSA, ssh.KeyAlgoRSASHA256, ssh.KeyAlgoRSASHA512},
		BannerCallback:    bannerCallback,
	}

	conn, err := ssh.Dial("tcp", hostname+":"+port, config)
	if err != nil {
		s.zapLogger.Error(dto.LogMessageDTO{
			Request_id: request_id,
			Fun_name:   "authWithPublicKey",
			Class_name: "TestConnectionService",
			Err:        err,
			Message:    "Failed to dial",
		})
		return &sftp.Client{}, err
	}

	client, err := sftp.NewClient(conn)
	if err != nil {
		s.zapLogger.Error(dto.LogMessageDTO{
			Request_id: request_id,
			Fun_name:   "authWithPublicKey",
			Class_name: "TestConnectionService",
			Err:        err,
			Message:    "Failed to create SFTP client",
		})
		return &sftp.Client{}, err
	}

	return client, nil
}

Can OpenSSH connect to this server? If so, please post the output of ssh -vvvvv ..... Thank you

Thanks for offering to help. Upon further debugging I have found out the issue is not what I thought it was. I enabled the debug logs and found that the server was returning the allowed methods on the first none auth method attempt, and the public key authentication was attempted and successful. But the server required password auth as well along with public key auth, and since no password auth method was configured in the application, the dial call failed. The error log is misleading and led me to believe the server wasn't returning the methods along with the failure message on the non auth method attempt.
These are my application logs with debug logging enabled :

2024-11-05 16:12:55.295	
{"level":"error","message":"Failed to dial","error":"ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain","timestamp":"2024-11-05T10:42:55.295Z","request_id":"52852b4d324150c50cfc717028b764ea","service_name":"FTP-service","fun_name":"testDialWithPubKeyAuth","class_name":"TestConnectionService","value":null}
2024-11-05 16:12:55.295	
2024/11/05 10:42:55 client got *ssh.userAuthFailureMsg &{[password] true} (<nil>)
2024-11-05 16:12:55.295	
2024/11/05 10:42:55 client got *ssh.userAuthFailureMsg &{[password] true} (<nil>)
2024-11-05 16:12:55.294	
2024/11/05 10:42:55 read client 51
2024-11-05 16:12:55.294	
2024/11/05 10:42:55 read client 51
2024-11-05 16:12:55.262	
2024/11/05 10:42:55 write client 50
2024-11-05 16:12:55.262	
2024/11/05 10:42:55 write client 50
2024-11-05 16:12:55.262	
2024/11/05 10:42:55 client sent *ssh.userAuthRequestMsg &{userID ssh-connection publickey [1 0 0 0  ...]} (<nil>)
2024-11-05 16:12:55.262	
2024/11/05 10:42:55 client sent *ssh.userAuthRequestMsg &{userID ssh-connection publickey [1 0 0 0 ...]} (<nil>)
2024-11-05 16:12:55.259	
2024/11/05 10:42:55 client got *ssh.userAuthPubKeyOkMsg &{rsa-sha2-256 [0 0 0 7 ...]} (<nil>)
2024-11-05 16:12:55.259	
2024/11/05 10:42:55 client got *ssh.userAuthPubKeyOkMsg &{rsa-sha2-256 [0 0 0 7 ...]} (<nil>)
2024-11-05 16:12:55.259	
2024/11/05 10:42:55 read client 60
2024-11-05 16:12:55.259	
2024/11/05 10:42:55 read client 60
2024-11-05 16:12:55.181	
2024/11/05 10:42:55 write client 50
2024-11-05 16:12:55.181	
2024/11/05 10:42:55 write client 50
2024-11-05 16:12:55.181	
2024/11/05 10:42:55 client sent *ssh.userAuthRequestMsg &{userID ssh-connection publickey [0 0 0 0 ...]} (<nil>)
2024-11-05 16:12:55.181	
2024/11/05 10:42:55 client sent *ssh.userAuthRequestMsg &{userID ssh-connection publickey [0 0 0 0 ...]} (<nil>)
2024-11-05 16:12:55.181	
2024/11/05 10:42:55 client got *ssh.userAuthFailureMsg &{[publickey password] false} (<nil>)
2024-11-05 16:12:55.181	
2024/11/05 10:42:55 client got *ssh.userAuthFailureMsg &{[publickey password] false} (<nil>)
2024-11-05 16:12:55.181	
2024/11/05 10:42:55 read client 51
2024-11-05 16:12:55.181	
2024/11/05 10:42:55 read client 51
2024-11-05 16:12:55.155	
2024/11/05 10:42:55 write client 50
2024-11-05 16:12:55.154	
2024/11/05 10:42:55 write client 50
2024-11-05 16:12:55.154	
2024/11/05 10:42:55 client sent *ssh.userAuthRequestMsg &{userID ssh-connection none []} (<nil>)
2024-11-05 16:12:55.154	
2024/11/05 10:42:55 client sent *ssh.userAuthRequestMsg &{userID ssh-connection none []} (<nil>)
2024-11-05 16:12:55.154	
2024/11/05 10:42:55 client got <nil> <nil> (ssh: unexpected message type 53 (expected 0))
2024-11-05 16:12:55.154	
2024/11/05 10:42:55 client got <nil> <nil> (ssh: unexpected message type 53 (expected 0))
2024-11-05 16:12:55.154	
2024/11/05 10:42:55 read client 53
2024-11-05 16:12:55.154	
2024/11/05 10:42:55 read client 53
2024-11-05 16:12:55.154	
2024/11/05 10:42:55 client got *ssh.serviceAcceptMsg &{ssh-userauth} (<nil>)
2024-11-05 16:12:55.154	
2024/11/05 10:42:55 client got *ssh.serviceAcceptMsg &{ssh-userauth} (<nil>)
2024-11-05 16:12:55.154	
2024/11/05 10:42:55 read client 6
2024-11-05 16:12:55.154	
2024/11/05 10:42:55 read client 6
2024-11-05 16:12:55.154	
2024/11/05 10:42:55 client got *ssh.extInfoMsg &{1 [0 0 0 15 115 101 114 118 101 114 45 115 105 103 45 97 108 103 115 0 0 2 79 114 115 97 45 115 104 97 50 45 53 49 50 44 114 115 97 45 115 104 97 50 45 53 49 50 45 99 101 114 116 45 118 48 49 64 111 112 101 110 115 115 104 46 99 111 109 44 115 115 104 45 101 100 50 53 53 49 57 45 99 101 114 116 45 118 48 49 64 111 112 101 110 115 115 104 46 99 111 109 44 115 115 104 45 101 100 52 52 56 44 115 115 104 45 101 100 50 53 53 49 57 44 101 99 100 115 97 45 115 104 97 50 45 110 105 115 116 112 50 53 54 44 120 53 48 57 118 51 45 101 99 100 115 97 45 115 104 97 50 45 110 105 115 116 112 53 50 49 44 101 99 100 115 97 45 115 104 97 50 45 110 105 115 116 112 53 50 49 45 99 101 114 116 45 118 48 49 64 111 112 101 110 115 115 104 46 99 111 109 44 114 115 97 45 115 104 97 50 45 50 53 54 45 99 101 114 116 45 118 48 49 64 111 112 101 110 115 115 104 46 99 111 109 44 120 53 48 57 118 51 45 101 99 100 115 97 45 115 104 97 50 45 110 105 115 116 112 50 53 54 44 114 115 97 45 115 104 97 50 45 50 53 54 44 101 99 100 115 97 45 115 104 97 50 45 110 105 115 116 112 51 56 52 44 101 99 100 115 97 45 115 104 97 50 45 110 105 115 116 112 51 56 52 45 99 101 114 116 45 118 48 49 64 111 112 101 110 115 115 104 46 99 111 109 44 120 53 48 57 118 51 45 114 115 97 50 48 52 56 45 115 104 97 50 53 54 44 101 99 100 115 97 45 115 104 97 50 45 110 105 115 116 112 53 50 49 44 101 99 100 115 97 45 115 104 97 50 45 110 105 115 116 112 50 53 54 45 99 101 114 116 45 118 48 49 64 111 112 101 110 115 115 104 46 99 111 109 44 120 53 48 57 118 51 45 101 99 100 115 97 45 115 104 97 50 45 110 105 115 116 112 51 56 52 44 120 53 48 57 118 51 45 115 115 104 45 100 115 115 44 115 115 104 45 100 115 115 45 99 101 114 116 45 118 48 49 64 111 112 101 110 115 115 104 46 99 111 109 44 115 115 104 45 100 115 115 44 120 53 48 57 118 51 45 115 105 103 110 45 100 115 115 44 120 53 48 57 118 51 45 115 115 104 45 114 115 97 44 120 53 48 57 118 51 45 115 105 103 110 45 114 115 97 45 115 104 97 49 44 115 115 104 45 114 115 97 45 99 101 114 116 45 118 48 49 64 111 112 101 110 115 115 104 46 99 111 109 44 115 115 104 45 114 115 97 44 120 53 48 57 118 51 45 115 105 103 110 45 114 115 97]} (<nil>)
2024-11-05 16:12:55.154	
2024/11/05 10:42:55 client got *ssh.extInfoMsg &{1 [0 0 0 15 115 101 114 118 101 114 45 115 105 103 45 97 108 103 115 0 0 2 79 114 115 97 45 115 104 97 50 45 53 49 50 44 114 115 97 45 115 104 97 50 45 53 49 50 45 99 101 114 116 45 118 48 49 64 111 112 101 110 115 115 104 46 99 111 109 44 115 115 104 45 101 100 50 53 53 49 57 45 99 101 114 116 45 118 48 49 64 111 112 101 110 115 115 104 46 99 111 109 44 115 115 104 45 101 100 52 52 56 44 115 115 104 45 101 100 50 53 53 49 57 44 101 99 100 115 97 45 115 104 97 50 45 110 105 115 116 112 50 53 54 44 120 53 48 57 118 51 45 101 99 100 115 97 45 115 104 97 50 45 110 105 115 116 112 53 50 49 44 101 99 100 115 97 45 115 104 97 50 45 110 105 115 116 112 53 50 49 45 99 101 114 116 45 118 48 49 64 111 112 101 110 115 115 104 46 99 111 109 44 114 115 97 45 115 104 97 50 45 50 53 54 45 99 101 114 116 45 118 48 49 64 111 112 101 110 115 115 104 46 99 111 109 44 120 53 48 57 118 51 45 101 99 100 115 97 45 115 104 97 50 45 110 105 115 116 112 50 53 54 44 114 115 97 45 115 104 97 50 45 50 53 54 44 101 99 100 115 97 45 115 104 97 50 45 110 105 115 116 112 51 56 52 44 101 99 100 115 97 45 115 104 97 50 45 110 105 115 116 112 51 56 52 45 99 101 114 116 45 118 48 49 64 111 112 101 110 115 115 104 46 99 111 109 44 120 53 48 57 118 51 45 114 115 97 50 48 52 56 45 115 104 97 50 53 54 44 101 99 100 115 97 45 115 104 97 50 45 110 105 115 116 112 53 50 49 44 101 99 100 115 97 45 115 104 97 50 45 110 105 115 116 112 50 53 54 45 99 101 114 116 45 118 48 49 64 111 112 101 110 115 115 104 46 99 111 109 44 120 53 48 57 118 51 45 101 99 100 115 97 45 115 104 97 50 45 110 105 115 116 112 51 56 52 44 120 53 48 57 118 51 45 115 115 104 45 100 115 115 44 115 115 104 45 100 115 115 45 99 101 114 116 45 118 48 49 64 111 112 101 110 115 115 104 46 99 111 109 44 115 115 104 45 100 115 115 44 120 53 48 57 118 51 45 115 105 103 110 45 100 115 115 44 120 53 48 57 118 51 45 115 115 104 45 114 115 97 44 120 53 48 57 118 51 45 115 105 103 110 45 114 115 97 45 115 104 97 49 44 115 115 104 45 114 115 97 45 99 101 114 116 45 118 48 49 64 111 112 101 110 115 115 104 46 99 111 109 44 115 115 104 45 114 115 97 44 120 53 48 57 118 51 45 115 105 103 110 45 114 115 97]} (<nil>)
2024-11-05 16:12:55.154	
2024/11/05 10:42:55 read client 7
2024-11-05 16:12:55.154	
2024/11/05 10:42:55 read client 7
2024-11-05 16:12:55.128	
2024/11/05 10:42:55 write client 5
2024-11-05 16:12:55.128	
2024/11/05 10:42:55 write client 5
2024-11-05 16:12:55.128	
2024/11/05 10:42:55 client sent *ssh.serviceRequestMsg &{ssh-userauth} (<nil>)
2024-11-05 16:12:55.128	
2024/11/05 10:42:55 client sent *ssh.serviceRequestMsg &{ssh-userauth} (<nil>)
2024-11-05 16:12:55.128	
2024/11/05 10:42:55 client exited key exchange (first true), err <nil>
2024-11-05 16:12:55.128	
2024/11/05 10:42:55 client exited key exchange (first true), err <nil>
2024-11-05 16:12:55.128	
2024/11/05 10:42:55 read client 21
2024-11-05 16:12:55.128	
2024/11/05 10:42:55 read client 21
2024-11-05 16:12:55.128	
2024/11/05 10:42:55 write client 21
2024-11-05 16:12:55.128	
2024/11/05 10:42:55 write client 21
2024-11-05 16:12:55.127	
2024/11/05 10:42:55 read client 31
2024-11-05 16:12:55.127	
2024/11/05 10:42:55 read client 31
2024-11-05 16:12:55.094	
2024/11/05 10:42:55 write client 30
2024-11-05 16:12:55.094	
2024/11/05 10:42:55 write client 30
2024-11-05 16:12:55.094	
2024/11/05 10:42:55 client entered key exchange
2024-11-05 16:12:55.094	
2024/11/05 10:42:55 client entered key exchange
2024-11-05 16:12:55.093	
2024/11/05 10:42:55 client got *ssh.kexInitMsg &{[214 188 34 21 24 161 48 241 255 34 103 58 129 185 232 187] [ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha256 [email protected] ext-info-s [email protected]] [rsa-sha2-512 rsa-sha2-256 ssh-rsa] [[email protected] [email protected] aes256-ctr aes192-ctr aes128-ctr] [[email protected] [email protected] aes256-ctr aes192-ctr aes128-ctr] [[email protected] [email protected] hmac-sha2-512 hmac-sha2-256 hmac-sha256 [email protected] hmac-sha1] [[email protected] [email protected] hmac-sha2-512 hmac-sha2-256 hmac-sha256 [email protected] hmac-sha1] [none] [none] [] [] false 0} (<nil>)
2024-11-05 16:12:55.093	
2024/11/05 10:42:55 client got *ssh.kexInitMsg &{[214 188 34 21 24 161 48 241 255 34 103 58 129 185 232 187] [ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha256 [email protected] ext-info-s [email protected]] [rsa-sha2-512 rsa-sha2-256 ssh-rsa] [[email protected] [email protected] aes256-ctr aes192-ctr aes128-ctr] [[email protected] [email protected] aes256-ctr aes192-ctr aes128-ctr] [[email protected] [email protected] hmac-sha2-512 hmac-sha2-256 hmac-sha256 [email protected] hmac-sha1] [[email protected] [email protected] hmac-sha2-512 hmac-sha2-256 hmac-sha256 [email protected] hmac-sha1] [none] [none] [] [] false 0} (<nil>)
2024-11-05 16:12:55.093	
2024/11/05 10:42:55 read client 20
2024-11-05 16:12:55.093	
2024/11/05 10:42:55 read client 20
2024-11-05 16:12:55.093	
2024/11/05 10:42:55 write client 20
2024-11-05 16:12:55.093	
2024/11/05 10:42:55 write client 20
2024-11-05 16:12:55.093	
2024/11/05 10:42:55 client sent *ssh.kexInitMsg &{[207 110 58 99 101 231 136 122 76 38 11 13 180 52 121 211] [curve25519-sha256 [email protected] ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha256 diffie-hellman-group14-sha1 ext-info-c [email protected]] [ssh-rsa rsa-sha2-256 rsa-sha2-512] [[email protected] [email protected] [email protected] aes128-ctr aes192-ctr aes256-ctr] [[email protected] [email protected] [email protected] aes128-ctr aes192-ctr aes256-ctr] [[email protected] [email protected] hmac-sha2-256 hmac-sha2-512 hmac-sha1 hmac-sha1-96] [[email protected] [email protected] hmac-sha2-256 hmac-sha2-512 hmac-sha1 hmac-sha1-96] [none] [none] [] [] false 0} (<nil>)
2024-11-05 16:12:55.093	
2024/11/05 10:42:55 client sent *ssh.kexInitMsg &{[207 110 58 99 101 231 136 122 76 38 11 13 180 52 121 211] [curve25519-sha256 [email protected] ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha256 diffie-hellman-group14-sha1 ext-info-c [email protected]] [ssh-rsa rsa-sha2-256 rsa-sha2-512] [[email protected] [email protected] [email protected] aes128-ctr aes192-ctr aes256-ctr] [[email protected] [email protected] [email protected] aes128-ctr aes192-ctr aes256-ctr] [[email protected] [email protected] hmac-sha2-256 hmac-sha2-512 hmac-sha1 hmac-sha1-96] [[email protected] [email protected] hmac-sha2-256 hmac-sha2-512 hmac-sha1 hmac-sha1-96] [none] [none] [] [] false 0} (<nil>)

RFC 4252:

If no authentication is needed for the user, the server MUST return SSH_MSG_USERAUTH_SUCCESS. Otherwise, the server MUST return SSH_MSG_USERAUTH_FAILURE and MAY return with it a list of methods that may continue in its 'authentications that can continue' value.

This means that things should continue to work if the list of methods is not returned from the 'none' auth. I support this change, but it is different from the proposal that is discussed here. Open a new issue?

I believe my hypothesis was wrong, and the server is indeed working as per the RFC. Thanks for offering to help! I am not sure if a new issue needs to be opened for the misleading error log, will do if it seems that my understanding is right.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Proposal Proposal-Crypto Proposal related to crypto packages or other security issues
Projects
Proposals
Status: Incoming
Milestone
Proposal
Development

No branches or pull requests
8 participants
@hanwen @tg123 @drakkan @ianlancetaylor @gopherbot @seankhliao @ShimantaKB-Tunnel and others