1. Forum
  2. Usenet
  3. COMP.SECURITY.SSH

  • Question about the standard

    From Doug Weiman@21:1/5 to All on Tue Sep 25 19:31:54 2018
    Section 5.1 of RFC 4252 describes the SSH_MSG_USERAUTH_FAILURE
    message. This is the message sent by a server that has rejected an authentication request sent by client. The last field in the SSH_MSG_USERAUTH_FAILURE message is a boolean called "partial success". According to the standard above:

    "The value of 'partial success' MUST be TRUE if the authentication request to which this is a response was successful. It MUST be FALSE
    if the request was not successfully processed."

    What situation is this supposed to address?

    Let's say the client is doing password authentication. Under what circumstances will the server return an SSH_MSG_USERAUTH_FAILURE message
    with partial success set to 1? I have noticed that when supplying the
    wrong password, the value of this field in the resulting SSH_MSG_USERAUTH_FAILURE message is 0. Of course, if the password is
    correct, this message will not be returned.

    Is it the case that this field is used for other authentication mechanisms?




    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ivan Shmakov@21:1/5 to All on Wed Sep 26 00:50:42 2018
    Doug Weiman <no@nyet.net> writes:

    Section 5.1 of RFC 4252 describes the SSH_MSG_USERAUTH_FAILURE
    message. This is the message sent by a server that has rejected an authentication request sent by client. The last field in the SSH_MSG_USERAUTH_FAILURE message is a boolean called "partial
    success". According to the standard above:

    "The value of 'partial success' MUST be TRUE if the authentication
    request to which this is a response was successful. It MUST be FALSE
    if the request was not successfully processed."

    What situation is this supposed to address?

    Authorization failures, perhaps? The password is correct (e. g.,
    as checked via Kerberos), but you don't have access to this
    specific host.

    [...]

    --
    FSF associate member #7257 http://am-1.org/~ivan/

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Simon Tatham@21:1/5 to no@nyet.net on Wed Sep 26 08:03:34 2018
    Doug Weiman <no@nyet.net> wrote:
    The last field in the SSH_MSG_USERAUTH_FAILURE message is a boolean
    called "partial success".
    [...]
    What situation is this supposed to address?

    Configuring a server to require more than one form of authentication
    before it will let you log in. E.g. requiring both a public key _and_
    a password, or both a public key and a correct response to some kind
    of one-time challenge sent via keyboard-interactive.

    'Partial success' means: _this_ authentication method has succeeded,
    but now you need at least one more independent authentication step
    before you can actually start the ssh-connection protocol.
    --
    import hashlib; print((lambda p,q,g,y,r,s,m: (lambda w:(pow(g,int(hashlib.sha1( m.encode('ascii')).hexdigest(),16)*w%q,p)*pow(y,r*w%q,p)%p)%q)(pow(s,q-2,q))==r and m)(0xb80b5dacabab6145,0xf70027d345023,0x7643bc4018957897,0x11c2e5d9951130c9 ,0xa54d9cbe4e8ab,0x746c50eaa1910, "Simon Tatham <anakin@pobox.com>" ))

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)