https://bugzilla.mindrot.org/show_bug.cgi?id=3356
Damien Miller <d...@mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |d...@mindrot.org
--- Comment #1 from Damien Miller <d...@mindrot.org> ---
Created attachment 3725
--> https://bugzilla.mindrot.org/attachment.cgi?id=3725&action=edit
relax reception of 2nd EXT_INFO message
Yes, this is a bug :(
Unfortunately, the 2nd KEX_INFO message is fairly useless anyway
because it happens too late to affect userauth. E.g. it's not possible
to use EXT_INFO to vary server-sig-algs per user which is the one thing
we'd want to be able to do with it currently.
It would be usable for the other options in RFC8308, but IMO they are
either irrelevant to OpenSSH ("elevation"), already implemented
differently in OpenSSH ("z...@openssh.com") just useless
"no-flow-control" (a peer could just advertise arbitrarily large
channel windows).
The attached patch relaxes reception of the 2nd EXT_INFO message to
allow it at any time during userauth. This makes us bug-compatible with
OpenSSH <9.5, compatible with the spec and potentially usable for
advertising server-sig-algs during userauth (though doing so would be a
separate violation of RFC8308).
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
