[SSHD-948] Do not accept password authentication if the session is not encrypted - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.3.0
Fix Version/s: 2.4.0
Labels:
None

Description

According to RFC4252 section 8:

Both the server and the client should check whether the underlying
transport layer provides confidentiality (i.e., if encryption is
being used). If no confidentiality is provided ("none" cipher),
password authentication SHOULD be disabled. If there is no
confidentiality or no MAC, password change SHOULD be disabled.

Attachments

Activity

People

Assignee:: Lyor Goldstein

Reporter:: Lyor Goldstein

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 13/Oct/19 06:21

Updated:: 08/Jun/20 13:33

Resolved:: 17/Oct/19 06:03