Subject: RE: Reflection for Secure IT Server

RE: Reflection for Secure IT Server

From: Xu, Qiang (FXSGSC) <Qiang.Xu_at_fujixerox.com>
Date: Tue, 4 May 2010 09:50:26 +0800

> -----Original Message-----
> From: libssh2-devel-bounces_at_cool.haxx.se
> [mailto:libssh2-devel-bounces_at_cool.haxx.se] On Behalf Of Peter Stuge
> Sent: Monday, May 03, 2010 9:39 PM
> To: libssh2-devel_at_cool.haxx.se
> Subject: Re: Reflection for Secure IT Server
>
> Hello Qiang,
>
> The keyboard-interactive authentication method is used also
> on other systems. It is supported by libssh2 but it must also
> be supported explicitly by the application.
>
> The full description of keyboard-interactive is in RFC 4256.
> I very much recommend reading that, it is short at only 12 pages.
>
> kbd-int is a generic method for dialog between the SSH/SFTP
> server and the user. There is no standard for what this
> dialog contains - it is a completely generic way for the
> server to send a question to the user, and to receive a
> response back from the user.
>
> Sometimes this method is unfortunately used to ask for a password.
> That is the standard setting for both FreeBSD and Mac OS X. :(
>
> This creates a problem for libssh2 because it can not
> reliably detect that the server is asking for the user's
> password. The question from the server can be localized to
> the user's prefered language, and it can use any words, such
> as "Enter secret" that the user will understand, but which is
> impossible to completely understand in libssh2.
>
> This means that the libssh2 application must allow the user
> to participate in the kbd-int communication, in order to
> successfully authenticate to the server. Depending on the
> application it can be difficult. :\
>
> The libssh2 example sftp.c demonstrates how libssh2 calls
> back into the application in order to perform
> keyboard-interactive authentication, but please note that the
> example kbd_callback() implementation is very bad and must
> not be used in an end product!
>
> In order to further investigate kbd-int please apply the
> attached patch to sftp.c (or use very latest git) and then
> test the sftp.c example with the same server to see more details.

Thanks, Peter!

Got to try the patch, but the source file rejected it:
============================================================
qxu_at_durian(pts/1):~/opensrc/libssh2-1.2.6-20100503/src[151]$ patch sftp.c < 0001-Do-proper-keyboard-interactive-user-dialog-in-the-sf.patch
(Stripping trailing CRs from patch.)
patching file sftp.c
Hunk #1 FAILED at 52.
1 out of 1 hunk FAILED -- saving rejects to file sftp.c.rej
============================================================
Is there anything wrong in my patching command?

Thanks,
Xu Qiang
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2010-05-04