Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/ssh: login with incorrect credentials #12901

Closed
tobor opened this issue Oct 11, 2015 · 8 comments
Closed

x/crypto/ssh: login with incorrect credentials #12901

tobor opened this issue Oct 11, 2015 · 8 comments

Comments

@tobor
Copy link

@tobor tobor commented Oct 11, 2015

func LinkSSH(host, user, pass string) (info string) {

config := &ssh.ClientConfig{
    User: user,
    Auth: []ssh.AuthMethod{
        ssh.Password(pass),
    },
}
client, err := ssh.Dial("tcp", host, config)
if err != nil {
            info = "connect error"
    return info
} else {
    session, err := client.NewSession()
    defer session.Close()

    if err != nil {
                    info = "login error"
        return info
    } else {
        info = "login ok"
        client.Close()
        return info

    }
}

}

if ssh-server is Dropbear user and pass error return login ok

@davecheney
Copy link
Contributor

@davecheney davecheney commented Oct 11, 2015

Are you saying that against a dropbear server, providing incorrect
credentials allows you to login to the server anyway?

On Sun, 11 Oct 2015 20:59 tobor notifications@github.com wrote:

func LinkSSH(host, user, pass string) (info string) {

config := &ssh.ClientConfig{
User: user,
Auth: []ssh.AuthMethod{
ssh.Password(pass),
},
}
client, err := ssh.Dial("tcp", host, config)
if err != nil {
info = "connect error"
return info
} else {
session, err := client.NewSession()
defer session.Close()

if err != nil {
                info = "login error"
    return info
} else {
    info = "login ok"
    client.Close()
    return info

}

}

}

if ssh-server is Dropbear user and pass error return login ok


Reply to this email directly or view it on GitHub
#12901.

@minux
Copy link
Member

@minux minux commented Oct 11, 2015

@rakyll rakyll changed the title golang.org/x/crypto/ssh x/crypto/ssh: login with incorrect credentials Oct 12, 2015
@rakyll
Copy link
Contributor

@rakyll rakyll commented Oct 12, 2015

Not able to reproduce either, please open with more details if it is still the case.

@rakyll rakyll closed this Oct 12, 2015
@tobor
Copy link
Author

@tobor tobor commented Oct 12, 2015

Are you saying that against a dropbear server, providing incorrect
credentials allows you to login to the server anyway?

Provided the wrong username and password procedure returns successfully, it should return failure

@davecheney
Copy link
Contributor

@davecheney davecheney commented Oct 12, 2015

Provided the wrong username and password procedure returns successfully, it should return failure

Can you replicate this behaviour with another ssh client (you may have to mess with the order and types of authentication attempted).

In this case the ssh package is acting as a client to the dropbear server, so

a. this isn't the fault of the client
b. you may have discovered a lucrative bug in dropbear.

@tobor
Copy link
Author

@tobor tobor commented Oct 12, 2015

thank you all,I tested xshell and putty return success, but will be asked to re-enter the password,this isn't the fault of the client

@rakyll
Copy link
Contributor

@rakyll rakyll commented Oct 16, 2015

Are you saying that against a dropbear server, providing incorrect
credentials allows you to login to the server anyway?

Sorry for not providing little context in my previous comment. It is not reproducible against other servers. I wanted to say the issue is probably dropbear, not the ssh client.

@davecheney
Copy link
Contributor

@davecheney davecheney commented Oct 17, 2015

Thank you for confirming, I agree with your assessment.

On Sat, 17 Oct 2015, 08:03 rakyll notifications@github.com wrote:

Are you saying that against a dropbear server, providing incorrect
credentials allows you to login to the server anyway?

Sorry for not providing little context in my previous comment. It is not
reproducible against other servers. I wanted to say the issue is probably
dropbear, not the ssh client.


Reply to this email directly or view it on GitHub
#12901 (comment).

@golang golang locked and limited conversation to collaborators Oct 17, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.