https://bugzilla.mindrot.org/show_bug.cgi?id=3356
Damien Miller <d...@mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |d...@mindrot.org --- Comment #1 from Damien Miller <d...@mindrot.org> --- Created attachment 3725 --> https://bugzilla.mindrot.org/attachment.cgi?id=3725&action=edit relax reception of 2nd EXT_INFO message Yes, this is a bug :( Unfortunately, the 2nd KEX_INFO message is fairly useless anyway because it happens too late to affect userauth. E.g. it's not possible to use EXT_INFO to vary server-sig-algs per user which is the one thing we'd want to be able to do with it currently. It would be usable for the other options in RFC8308, but IMO they are either irrelevant to OpenSSH ("elevation"), already implemented differently in OpenSSH ("z...@openssh.com") just useless "no-flow-control" (a peer could just advertise arbitrarily large channel windows). The attached patch relaxes reception of the 2nd EXT_INFO message to allow it at any time during userauth. This makes us bug-compatible with OpenSSH <9.5, compatible with the spec and potentially usable for advertising server-sig-algs during userauth (though doing so would be a separate violation of RFC8308). -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs