Subject: RE: Reflection for Secure IT Server

RE: Reflection for Secure IT Server

From: Xu, Qiang (FXSGSC) <>
Date: Tue, 4 May 2010 09:50:26 +0800

> -----Original Message-----
> From:
> [] On Behalf Of Peter Stuge
> Sent: Monday, May 03, 2010 9:39 PM
> To:
> Subject: Re: Reflection for Secure IT Server
> Hello Qiang,
> The keyboard-interactive authentication method is used also
> on other systems. It is supported by libssh2 but it must also
> be supported explicitly by the application.
> The full description of keyboard-interactive is in RFC 4256.
> I very much recommend reading that, it is short at only 12 pages.
> kbd-int is a generic method for dialog between the SSH/SFTP
> server and the user. There is no standard for what this
> dialog contains - it is a completely generic way for the
> server to send a question to the user, and to receive a
> response back from the user.
> Sometimes this method is unfortunately used to ask for a password.
> That is the standard setting for both FreeBSD and Mac OS X. :(
> This creates a problem for libssh2 because it can not
> reliably detect that the server is asking for the user's
> password. The question from the server can be localized to
> the user's prefered language, and it can use any words, such
> as "Enter secret" that the user will understand, but which is
> impossible to completely understand in libssh2.
> This means that the libssh2 application must allow the user
> to participate in the kbd-int communication, in order to
> successfully authenticate to the server. Depending on the
> application it can be difficult. :\
> The libssh2 example sftp.c demonstrates how libssh2 calls
> back into the application in order to perform
> keyboard-interactive authentication, but please note that the
> example kbd_callback() implementation is very bad and must
> not be used in an end product!
> In order to further investigate kbd-int please apply the
> attached patch to sftp.c (or use very latest git) and then
> test the sftp.c example with the same server to see more details.

Thanks, Peter!

Got to try the patch, but the source file rejected it:
qxu_at_durian(pts/1):~/opensrc/libssh2-1.2.6-20100503/src[151]$ patch sftp.c < 0001-Do-proper-keyboard-interactive-user-dialog-in-the-sf.patch
(Stripping trailing CRs from patch.)
patching file sftp.c
Hunk #1 FAILED at 52.
1 out of 1 hunk FAILED -- saving rejects to file sftp.c.rej
Is there anything wrong in my patching command?

Xu Qiang
Received on 2010-05-04