x/crypto/ssh: login with incorrect credentials

[tobor]

func LinkSSH(host, user, pass string) (info string) {

config := &ssh.ClientConfig{
    User: user,
    Auth: []ssh.AuthMethod{
        ssh.Password(pass),
    },
}
client, err := ssh.Dial("tcp", host, config)
if err != nil {
            info = "connect error"
    return info
} else {
    session, err := client.NewSession()
    defer session.Close()

    if err != nil {
                    info = "login error"
        return info
    } else {
        info = "login ok"
        client.Close()
        return info

    }
}

}

if ssh-server is Dropbear user and pass error return login ok

[davecheney]

Are you saying that against a dropbear server, providing incorrect
credentials allows you to login to the server anyway?

On Sun, 11 Oct 2015 20:59 tobor notifications@github.com wrote:

func LinkSSH(host, user, pass string) (info string) {

config := &ssh.ClientConfig{
User: user,
Auth: []ssh.AuthMethod{
ssh.Password(pass),
},
}
client, err := ssh.Dial("tcp", host, config)
if err != nil {
info = "connect error"
return info
} else {
session, err := client.NewSession()
defer session.Close()

if err != nil {
                info = "login error"
    return info
} else {
    info = "login ok"
    client.Close()
    return info

}

}

}

if ssh-server is Dropbear user and pass error return login ok

—
Reply to this email directly or view it on GitHub
#12901.

[minux]

can't reproduce. I've tested SSH-2.0-dropbear_2015.67 in OpenWRT. Note that if the ssh client is unable to authenticate, the Dial call will fail. Please provide more information on how to reproduce.

[rakyll]

Not able to reproduce either, please open with more details if it is still the case.

[tobor]

Are you saying that against a dropbear server, providing incorrect
credentials allows you to login to the server anyway?

Provided the wrong username and password procedure returns successfully, it should return failure

[davecheney]

Provided the wrong username and password procedure returns successfully, it should return failure

Can you replicate this behaviour with another ssh client (you may have to mess with the order and types of authentication attempted).

In this case the ssh package is acting as a client to the dropbear server, so

a. this isn't the fault of the client
b. you may have discovered a lucrative bug in dropbear.

[tobor]

thank you all，I tested xshell and putty return success, but will be asked to re-enter the password，this isn't the fault of the client

[rakyll]

Are you saying that against a dropbear server, providing incorrect
credentials allows you to login to the server anyway?

Sorry for not providing little context in my previous comment. It is not reproducible against other servers. I wanted to say the issue is probably dropbear, not the ssh client.

[davecheney]

Thank you for confirming, I agree with your assessment.

On Sat, 17 Oct 2015, 08:03 rakyll notifications@github.com wrote:

Are you saying that against a dropbear server, providing incorrect
credentials allows you to login to the server anyway?

Sorry for not providing little context in my previous comment. It is not
reproducible against other servers. I wanted to say the issue is probably
dropbear, not the ssh client.

—
Reply to this email directly or view it on GitHub
#12901 (comment).