Subject: RE: Reflection for Secure IT Server

RE: Reflection for Secure IT Server

From: Xu, Qiang (FXSGSC) <>
Date: Tue, 4 May 2010 10:08:37 +0800

> -----Original Message-----
> From:
> [] On Behalf Of Peter Stuge
> Sent: Monday, May 03, 2010 9:39 PM
> To:
> Subject: Re: Reflection for Secure IT Server
> Hello Qiang,
> The keyboard-interactive authentication method is used also
> on other systems. It is supported by libssh2 but it must also
> be supported explicitly by the application.
> The full description of keyboard-interactive is in RFC 4256.
> I very much recommend reading that, it is short at only 12 pages.
> kbd-int is a generic method for dialog between the SSH/SFTP
> server and the user. There is no standard for what this
> dialog contains - it is a completely generic way for the
> server to send a question to the user, and to receive a
> response back from the user.
> Sometimes this method is unfortunately used to ask for a password.
> That is the standard setting for both FreeBSD and Mac OS X. :(
> This creates a problem for libssh2 because it can not
> reliably detect that the server is asking for the user's
> password. The question from the server can be localized to
> the user's prefered language, and it can use any words, such
> as "Enter secret" that the user will understand, but which is
> impossible to completely understand in libssh2.
> This means that the libssh2 application must allow the user
> to participate in the kbd-int communication, in order to
> successfully authenticate to the server. Depending on the
> application it can be difficult. :\
> The libssh2 example sftp.c demonstrates how libssh2 calls
> back into the application in order to perform
> keyboard-interactive authentication, but please note that the
> example kbd_callback() implementation is very bad and must
> not be used in an end product!
> In order to further investigate kbd-int please apply the
> attached patch to sftp.c (or use very latest git) and then
> test the sftp.c example with the same server to see more details.

Sorry, Peter! Last time I patched the wrong source file, "src/sftp.c", while it should be "example/sftp.c".

Yes, your patch is verified to work well. If the server enables "Password authentication using keyboard interactive", it will tell me the authentication mode is "Authentication methods: keyboard-interactive", and I'll be prompted to submit the password. If the same setting is disabled, it will tell me "Authentication methods: password" (public key authentication has been denied at the server's end), and the password must be provided together with the command.

The only shortcoming is that, the password I type is in clear-text mode. Wouldn't it be better if it shows something like "*********" when I am typing the password?

By the way, in my testing, I am using "example/sftp_write.c". Could you provide a similar patch for sftp_write.c?

Thanks a lot,
Xu Qiang
Received on 2010-05-04