Uploaded image for project: 'MINA SSHD'
  1. MINA SSHD
  2. SSHD-254

Public key authentication triggers 'Authenticated with partial success.' message on client

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 0.9.0
    • 0.10.0
    • None

    Description

      When I use public key authentication against 0.9.0, I always get a 'Authenticated with partial success.' message in my console. Authentication succeeds in the end, but it looks funny.

      Here's a debug trace:

      ~/tmp ᐅ ssh -vv -p 7999 localhost whoami
      OpenSSH_5.9p1, OpenSSL 0.9.8x 10 May 2012
      debug1: Reading configuration data /etc/ssh_config
      debug1: /etc/ssh_config line 20: Applying options for *
      debug1: /etc/ssh_config line 53: Applying options for *
      debug2: ssh_connect: needpriv 0
      debug1: Connecting to localhost [::1] port 7999.
      debug1: Connection established.
      debug1: identity file /Users/michael/.ssh/id_rsa type 1
      debug1: identity file /Users/michael/.ssh/id_rsa-cert type -1
      debug1: identity file /Users/michael/.ssh/id_dsa type -1
      debug1: identity file /Users/michael/.ssh/id_dsa-cert type -1
      debug1: Remote protocol version 2.0, remote software version SSHD-CORE-0.10.0-SNAPSHOT
      debug1: no match: SSHD-CORE-0.10.0-SNAPSHOT
      debug1: Enabling compatibility mode for protocol 2.0
      debug1: Local version string SSH-2.0-OpenSSH_5.9
      debug2: fd 5 setting O_NONBLOCK
      debug1: SSH2_MSG_KEXINIT sent
      debug1: SSH2_MSG_KEXINIT received
      debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
      debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-dss
      debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
      debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
      debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
      debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
      debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
      debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
      debug2: kex_parse_kexinit:
      debug2: kex_parse_kexinit:
      debug2: kex_parse_kexinit: first_kex_follows 0
      debug2: kex_parse_kexinit: reserved 0
      debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
      debug2: kex_parse_kexinit: ssh-rsa
      debug2: kex_parse_kexinit: aes128-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
      debug2: kex_parse_kexinit: aes128-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
      debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-md5-96,hmac-sha1-96
      debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-md5-96,hmac-sha1-96
      debug2: kex_parse_kexinit: none
      debug2: kex_parse_kexinit: none
      debug2: kex_parse_kexinit:
      debug2: kex_parse_kexinit:
      debug2: kex_parse_kexinit: first_kex_follows 0
      debug2: kex_parse_kexinit: reserved 0
      debug2: mac_setup: found hmac-md5
      debug1: kex: server->client aes128-ctr hmac-md5 none
      debug2: mac_setup: found hmac-md5
      debug1: kex: client->server aes128-ctr hmac-md5 none
      debug2: dh_gen_key: priv key bits set: 127/256
      debug2: bits set: 1040/2048
      debug1: sending SSH2_MSG_KEXDH_INIT
      debug1: expecting SSH2_MSG_KEXDH_REPLY
      debug1: Server host key: RSA d4:87:fd:a6:6c:a3:3d:fc:e9:84:b8:2c:3d:e7:f8:1f
      debug1: Host '[localhost]:7999' is known and matches the RSA host key.
      debug1: Found key in /Users/michael/.ssh/known_hosts:16
      debug2: bits set: 1019/2048
      debug1: ssh_rsa_verify: signature correct
      debug2: kex_derive_keys
      debug2: set_newkeys: mode 1
      debug1: SSH2_MSG_NEWKEYS sent
      debug1: expecting SSH2_MSG_NEWKEYS
      debug2: set_newkeys: mode 0
      debug1: SSH2_MSG_NEWKEYS received
      debug1: Roaming not allowed by server
      debug1: SSH2_MSG_SERVICE_REQUEST sent
      debug2: service_accept: ssh-userauth
      debug1: SSH2_MSG_SERVICE_ACCEPT received
      debug2: key: /Users/michael/.ssh/id_rsa (0x7f86b1c1d2f0)
      debug2: key: /Users/michael/.ssh/id_dsa (0x0)
      Authenticated with partial success.
      debug1: Authentications that can continue: publickey
      debug1: Next authentication method: publickey
      debug1: Offering RSA public key: /Users/michael/.ssh/id_rsa
      debug2: we sent a publickey packet, wait for reply
      debug1: Server accepts key: pkalg ssh-rsa blen 277
      debug2: input_userauth_pk_ok: fp 76:18:ae:a5:c5:64:3f:c0:da:68:e1:c6:0d:3b:ce:19
      debug1: Authentication succeeded (publickey).
      Authenticated to localhost ([::1]:7999).
      debug1: channel 0: new [client-session]
      debug2: channel 0: send open
      debug1: Entering interactive session.
      debug2: callback start
      debug2: client_session2_setup: id 0
      debug2: fd 5 setting TCP_NODELAY
      debug1: Sending environment.
      debug1: Sending env LANG = en_AU.UTF-8
      debug2: channel 0: request env confirm 0
      debug1: Sending env LC_CTYPE = en_AU.UTF-8
      debug2: channel 0: request env confirm 0
      debug1: Sending command: whoami
      debug2: channel 0: request exec confirm 1
      debug2: callback done
      debug2: channel 0: open confirm rwindow 2097152 rmax 32768
      debug2: channel_input_status_confirm: type 99 id 0
      debug2: exec request accepted on channel 0
      admin
      debug2: channel 0: rcvd eof
      debug2: channel 0: output open -> drain
      debug2: channel 0: obuf empty
      debug2: channel 0: close_write
      debug2: channel 0: output drain -> closed
      debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
      debug2: channel 0: rcvd close
      debug2: channel 0: close_read
      debug2: channel 0: input open -> closed
      debug2: channel 0: almost dead
      debug2: channel 0: gc: notify user
      debug2: channel 0: gc: user detached
      debug2: channel 0: send close
      debug2: channel 0: is dead
      debug2: channel 0: garbage collecting
      debug1: channel 0: free: client-session, nchannels 1
      Transferred: sent 2648, received 1928 bytes, in 0.0 seconds
      Bytes per second: sent 364829.9, received 265631.4
      debug1: Exit status 0

      After a bit of debugging and reading up on the SSH Authentication Protocol, I think I've found the problem. When the initial SSH_MSG_USERAUTH_REQUEST comes in for method "none", ServerSession.userAuth correctly fails the authentication. But it sends back a SSH_MSG_USERAUTH_FAILURE packet with 'partial success' set to true.

      I think this should be false (it was in the previous version we were using - 0.7). The code in question is here: https://github.com/apache/mina-sshd/blob/46ea09302ec1556b95474ae36337369e9c973c36/sshd-core/src/main/java/org/apache/sshd/server/session/ServerSession.java#L541

      That 1 should be a 0

      Attachments

        Issue Links

          links to

          Web Link Pull request

          Activity

            People

              gnodet Guillaume Nodet
              mheemskerk Michael Heemskerk
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: