Details
-
Improvement
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
0.9.0
-
None
Description
When I use public key authentication against 0.9.0, I always get a 'Authenticated with partial success.' message in my console. Authentication succeeds in the end, but it looks funny.
Here's a debug trace:
~/tmp ᐅ ssh -vv -p 7999 localhost whoami
OpenSSH_5.9p1, OpenSSL 0.9.8x 10 May 2012
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: /etc/ssh_config line 53: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [::1] port 7999.
debug1: Connection established.
debug1: identity file /Users/michael/.ssh/id_rsa type 1
debug1: identity file /Users/michael/.ssh/id_rsa-cert type -1
debug1: identity file /Users/michael/.ssh/id_dsa type -1
debug1: identity file /Users/michael/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version SSHD-CORE-0.10.0-SNAPSHOT
debug1: no match: SSHD-CORE-0.10.0-SNAPSHOT
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9
debug2: fd 5 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa
debug2: kex_parse_kexinit: aes128-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit: aes128-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-md5-96,hmac-sha1-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-md5-96,hmac-sha1-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug2: dh_gen_key: priv key bits set: 127/256
debug2: bits set: 1040/2048
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Server host key: RSA d4:87:fd:a6:6c:a3:3d:fc:e9:84:b8:2c:3d:e7:f8:1f
debug1: Host '[localhost]:7999' is known and matches the RSA host key.
debug1: Found key in /Users/michael/.ssh/known_hosts:16
debug2: bits set: 1019/2048
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /Users/michael/.ssh/id_rsa (0x7f86b1c1d2f0)
debug2: key: /Users/michael/.ssh/id_dsa (0x0)
Authenticated with partial success.
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/michael/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug2: input_userauth_pk_ok: fp 76:18:ae:a5:c5:64:3f:c0:da:68:e1:c6:0d:3b:ce:19
debug1: Authentication succeeded (publickey).
Authenticated to localhost ([::1]:7999).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug2: fd 5 setting TCP_NODELAY
debug1: Sending environment.
debug1: Sending env LANG = en_AU.UTF-8
debug2: channel 0: request env confirm 0
debug1: Sending env LC_CTYPE = en_AU.UTF-8
debug2: channel 0: request env confirm 0
debug1: Sending command: whoami
debug2: channel 0: request exec confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 2097152 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: exec request accepted on channel 0
admin
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug2: channel 0: rcvd close
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2648, received 1928 bytes, in 0.0 seconds
Bytes per second: sent 364829.9, received 265631.4
debug1: Exit status 0
After a bit of debugging and reading up on the SSH Authentication Protocol, I think I've found the problem. When the initial SSH_MSG_USERAUTH_REQUEST comes in for method "none", ServerSession.userAuth correctly fails the authentication. But it sends back a SSH_MSG_USERAUTH_FAILURE packet with 'partial success' set to true.
I think this should be false (it was in the previous version we were using - 0.7). The code in question is here: https://github.com/apache/mina-sshd/blob/46ea09302ec1556b95474ae36337369e9c973c36/sshd-core/src/main/java/org/apache/sshd/server/session/ServerSession.java#L541
That 1 should be a 0
Attachments
Issue Links
- links to