Gracefully fail `gss-with-mic` to allow fallback to next authentication #652

wants to merge 1 commit into


None yet

3 participants


While researching issue #651, I discovered what I think is a bug in _parse_userauth_request(). If the authentication method is gssapi-with-mic and the ptype is not MSG_USERAUTH_GSSAPI_TOKEN, then the function raises an exception. I believe the correct response is to fail the request to allow the client to fallback to alternate methods.

I've applied and tested the patch associated with this pull request and it now works as expected.

I've also attached a copy of the Putty log to this message if you'd like to see the specifics of how it attempts authentication.


@bitprophet bitprophet added the Bug label Dec 31, 2015

FTR the current behavior was added in 3e1f9f0 (via #4 / by @SebastianDeiss). If Sebastian is active I wouldn't mind a +1 from him on this since he's the original author of this part of the GSSAPI support.

Sans that input, I'd probably merge this since it's in an uncommonly-used part of the codebase and "let the client try other auth types" does seem like a more useful approach than excepting. Thanks @jamercee :)



Yes, that's definitely a bug!
Of course the client can always abort the current authentication by sending a SSH_MSG_USERAUTH_REQUEST packet, so raising an exception is not a good idea. :-)

Responding with AUTH_FAILED to allow fallback to other auth methods is the correct behavior.
Thanks for the patch @jamercee.


Thanks @SebastianDeiss !

@bitprophet bitprophet added a commit that referenced this pull request Jan 1, 2016
@bitprophet bitprophet Changelog re #652 38cc76f

Grumble grumble github cherry pick grumble. This has been ported to 1.15.x and above. Thanks @jamercee :)

@bitprophet bitprophet closed this Jan 1, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment