From dev-return-27264-apmail-mina-dev-archive=mina.apache.org@mina.apache.org Thu Oct 16 08:30:35 2014 Return-Path: X-Original-To: apmail-mina-dev-archive@www.apache.org Delivered-To: apmail-mina-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 8124F17DAA for ; Thu, 16 Oct 2014 08:30:35 +0000 (UTC) Received: (qmail 82875 invoked by uid 500); 16 Oct 2014 08:30:34 -0000 Delivered-To: apmail-mina-dev-archive@mina.apache.org Received: (qmail 82815 invoked by uid 500); 16 Oct 2014 08:30:34 -0000 Mailing-List: contact dev-help@mina.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@mina.apache.org Delivered-To: mailing list dev@mina.apache.org Received: (qmail 82695 invoked by uid 99); 16 Oct 2014 08:30:34 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 16 Oct 2014 08:30:34 +0000 Date: Thu, 16 Oct 2014 08:30:34 +0000 (UTC) From: "Guillaume Nodet (JIRA)" To: dev@mina.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (SSHD-254) Public key authentication triggers 'Authenticated with partial success.' message on client MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/SSHD-254?page=3Dcom.atlassian.= jira.plugin.system.issuetabpanels:all-tabpanel ] Guillaume Nodet updated SSHD-254: --------------------------------- Fix Version/s: 0.9.1 > Public key authentication triggers 'Authenticated with partial success.' = message on client > -------------------------------------------------------------------------= ----------------- > > Key: SSHD-254 > URL: https://issues.apache.org/jira/browse/SSHD-254 > Project: MINA SSHD > Issue Type: Improvement > Affects Versions: 0.9.0 > Reporter: Michael Heemskerk > Assignee: Guillaume Nodet > Priority: Minor > Fix For: 0.10.0, 0.9.1 > > > When I use public key authentication against 0.9.0, I always get a 'Authe= nticated with partial success.' message in my console. Authentication succe= eds in the end, but it looks funny. > Here's a debug trace: > ~/tmp =E1=90=85 ssh -vv -p 7999 localhost whoami > OpenSSH_5.9p1, OpenSSL 0.9.8x 10 May 2012 > debug1: Reading configuration data /etc/ssh_config > debug1: /etc/ssh_config line 20: Applying options for * > debug1: /etc/ssh_config line 53: Applying options for * > debug2: ssh_connect: needpriv 0 > debug1: Connecting to localhost [::1] port 7999. > debug1: Connection established. > debug1: identity file /Users/michael/.ssh/id_rsa type 1 > debug1: identity file /Users/michael/.ssh/id_rsa-cert type -1 > debug1: identity file /Users/michael/.ssh/id_dsa type -1 > debug1: identity file /Users/michael/.ssh/id_dsa-cert type -1 > debug1: Remote protocol version 2.0, remote software version SSHD-CORE-0.= 10.0-SNAPSHOT > debug1: no match: SSHD-CORE-0.10.0-SNAPSHOT > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.9 > debug2: fd 5 setting O_NONBLOCK > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-he= llman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1= -sha1 > debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@= openssh.com,ssh-rsa,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.c= om,ssh-dss > debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,ar= cfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc= ,arcfour,rijndael-cbc@lysator.liu.se > debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,ar= cfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc= ,arcfour,rijndael-cbc@lysator.liu.se > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sh= a2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-= ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sh= a2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-= ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib > debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib > debug2: kex_parse_kexinit:=20 > debug2: kex_parse_kexinit:=20 > debug2: kex_parse_kexinit: first_kex_follows 0=20 > debug2: kex_parse_kexinit: reserved 0=20 > debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-gro= up1-sha1 > debug2: kex_parse_kexinit: ssh-rsa > debug2: kex_parse_kexinit: aes128-ctr,aes256-ctr,aes128-cbc,3des-cbc,blow= fish-cbc,aes192-cbc,aes256-cbc > debug2: kex_parse_kexinit: aes128-ctr,aes256-ctr,aes128-cbc,3des-cbc,blow= fish-cbc,aes192-cbc,aes256-cbc > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-md5-96,hmac-sha1-96 > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-md5-96,hmac-sha1-96 > debug2: kex_parse_kexinit: none > debug2: kex_parse_kexinit: none > debug2: kex_parse_kexinit:=20 > debug2: kex_parse_kexinit:=20 > debug2: kex_parse_kexinit: first_kex_follows 0=20 > debug2: kex_parse_kexinit: reserved 0=20 > debug2: mac_setup: found hmac-md5 > debug1: kex: server->client aes128-ctr hmac-md5 none > debug2: mac_setup: found hmac-md5 > debug1: kex: client->server aes128-ctr hmac-md5 none > debug2: dh_gen_key: priv key bits set: 127/256 > debug2: bits set: 1040/2048 > debug1: sending SSH2_MSG_KEXDH_INIT > debug1: expecting SSH2_MSG_KEXDH_REPLY > debug1: Server host key: RSA d4:87:fd:a6:6c:a3:3d:fc:e9:84:b8:2c:3d:e7:f8= :1f > debug1: Host '[localhost]:7999' is known and matches the RSA host key. > debug1: Found key in /Users/michael/.ssh/known_hosts:16 > debug2: bits set: 1019/2048 > debug1: ssh_rsa_verify: signature correct > debug2: kex_derive_keys > debug2: set_newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug2: set_newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: Roaming not allowed by server > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug2: key: /Users/michael/.ssh/id_rsa (0x7f86b1c1d2f0) > debug2: key: /Users/michael/.ssh/id_dsa (0x0) > Authenticated with partial success. > debug1: Authentications that can continue: publickey > debug1: Next authentication method: publickey > debug1: Offering RSA public key: /Users/michael/.ssh/id_rsa > debug2: we sent a publickey packet, wait for reply > debug1: Server accepts key: pkalg ssh-rsa blen 277 > debug2: input_userauth_pk_ok: fp 76:18:ae:a5:c5:64:3f:c0:da:68:e1:c6:0d:3= b:ce:19 > debug1: Authentication succeeded (publickey). > Authenticated to localhost ([::1]:7999). > debug1: channel 0: new [client-session] > debug2: channel 0: send open > debug1: Entering interactive session. > debug2: callback start > debug2: client_session2_setup: id 0 > debug2: fd 5 setting TCP_NODELAY > debug1: Sending environment. > debug1: Sending env LANG =3D en_AU.UTF-8 > debug2: channel 0: request env confirm 0 > debug1: Sending env LC_CTYPE =3D en_AU.UTF-8 > debug2: channel 0: request env confirm 0 > debug1: Sending command: whoami > debug2: channel 0: request exec confirm 1 > debug2: callback done > debug2: channel 0: open confirm rwindow 2097152 rmax 32768 > debug2: channel_input_status_confirm: type 99 id 0 > debug2: exec request accepted on channel 0 > admin > debug2: channel 0: rcvd eof > debug2: channel 0: output open -> drain > debug2: channel 0: obuf empty > debug2: channel 0: close_write > debug2: channel 0: output drain -> closed > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 > debug2: channel 0: rcvd close > debug2: channel 0: close_read > debug2: channel 0: input open -> closed > debug2: channel 0: almost dead > debug2: channel 0: gc: notify user > debug2: channel 0: gc: user detached > debug2: channel 0: send close > debug2: channel 0: is dead > debug2: channel 0: garbage collecting > debug1: channel 0: free: client-session, nchannels 1 > Transferred: sent 2648, received 1928 bytes, in 0.0 seconds > Bytes per second: sent 364829.9, received 265631.4 > debug1: Exit status 0 > After a bit of debugging and reading up on the SSH Authentication Protoco= l, I think I've found the problem. When the initial SSH_MSG_USERAUTH_REQUES= T comes in for method "none", ServerSession.userAuth correctly fails the au= thentication. But it sends back a SSH_MSG_USERAUTH_FAILURE packet with 'par= tial success' set to true. > I think this should be false (it was in the previous version we were usin= g - 0.7). The code in question is here: https://github.com/apache/mina-sshd= /blob/46ea09302ec1556b95474ae36337369e9c973c36/sshd-core/src/main/java/org/= apache/sshd/server/session/ServerSession.java#L541 > That 1 should be a 0 -- This message was sent by Atlassian JIRA (v6.3.4#6332)