Forum: >>> Magnum BBS <<<

Dark
Log in

Username Password

Question about the standard

From Doug Weiman@21:1/5 to All on Tue Sep 25 19:31:54 2018

Section 5.1 of RFC 4252 describes the SSH_MSG_USERAUTH_FAILURE
message. This is the message sent by a server that has rejected an authentication request sent by client. The last field in the SSH_MSG_USERAUTH_FAILURE message is a boolean called "partial success". According to the standard above:

"The value of 'partial success' MUST be TRUE if the authentication request to which this is a response was successful. It MUST be FALSE
if the request was not successfully processed."

What situation is this supposed to address?

Let's say the client is doing password authentication. Under what circumstances will the server return an SSH_MSG_USERAUTH_FAILURE message
with partial success set to 1? I have noticed that when supplying the
wrong password, the value of this field in the resulting SSH_MSG_USERAUTH_FAILURE message is 0. Of course, if the password is
correct, this message will not be returned.

Is it the case that this field is used for other authentication mechanisms?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Ivan Shmakov@21:1/5 to All on Wed Sep 26 00:50:42 2018

Doug Weiman <no@nyet.net> writes:

Section 5.1 of RFC 4252 describes the SSH_MSG_USERAUTH_FAILURE
message. This is the message sent by a server that has rejected an authentication request sent by client. The last field in the SSH_MSG_USERAUTH_FAILURE message is a boolean called "partial
success". According to the standard above:

"The value of 'partial success' MUST be TRUE if the authentication
request to which this is a response was successful. It MUST be FALSE
if the request was not successfully processed."

What situation is this supposed to address?

Authorization failures, perhaps? The password is correct (e. g.,
as checked via Kerberos), but you don't have access to this
specific host.

[...]

--
FSF associate member #7257 http://am-1.org/~ivan/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Simon Tatham@21:1/5 to no@nyet.net on Wed Sep 26 08:03:34 2018

Doug Weiman <no@nyet.net> wrote:

The last field in the SSH_MSG_USERAUTH_FAILURE message is a boolean
called "partial success".

[...]

What situation is this supposed to address?

Configuring a server to require more than one form of authentication
before it will let you log in. E.g. requiring both a public key _and_
a password, or both a public key and a correct response to some kind
of one-time challenge sent via keyboard-interactive.

'Partial success' means: _this_ authentication method has succeeded,
but now you need at least one more independent authentication step
before you can actually start the ssh-connection protocol.
--
import hashlib; print((lambda p,q,g,y,r,s,m: (lambda w:(pow(g,int(hashlib.sha1( m.encode('ascii')).hexdigest(),16)*w%q,p)*pow(y,r*w%q,p)%p)%q)(pow(s,q-2,q))==r and m)(0xb80b5dacabab6145,0xf70027d345023,0x7643bc4018957897,0x11c2e5d9951130c9 ,0xa54d9cbe4e8ab,0x746c50eaa1910, "Simon Tatham <anakin@pobox.com>" ))

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online
Recent Visitors
- Guest
  Tue Jan 21 01:04:30 2025
  from /bin/busybox Cat /proc/self/ex via Raw
- Guest
  Tue Jan 21 00:45:40 2025
  from /bin/busybox Cat /proc/self/ex via Raw
- Keyop
  Mon Jan 20 22:58:56 2025
  from Huddersfield, West Yorkshire via SSH
- Keyop
  Mon Jan 20 22:38:26 2025
  from Huddersfield, West Yorkshire via SSH
- Daniel Garrod
  Mon Jan 20 22:35:18 2025
  from Cambridge, Uk via Telnet
- Daniel Garrod
  Mon Jan 20 22:01:18 2025
  from Cambridge, Uk via Telnet
- Bob Worm
  Mon Jan 20 21:55:29 2025
  from Wales, Uk via Telnet
- Bob Worm
  Mon Jan 20 21:50:29 2025
  from Wales, Uk via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	403
Nodes:	16 (2 / 14)
Uptime:	111:36:08
Calls:	8,465
Calls today:	2
Files:	13,181
Messages:	5,909,935