This is an automated email from the ASF dual-hosted git repository. twolf pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/mina-sshd.git
commit f1cf41202e7833a25e0ef7576266470e66275b55 Author: Thomas Wolf <[email protected]> AuthorDate: Sat Oct 11 17:46:06 2025 +0200 Use more appropriate disconnect reason codes In too many places the general SSH2_DISCONNECT_PROTOCOL_ERROR was used, which gives a potentially misleading message to the client. Use other error reason codes that enable transporting custom messages. (With "protocol error" or "mac error" we always send a fixed message because of CVE-2008-1561.) --- .../java/org/apache/sshd/server/session/AbstractServerSession.java | 2 +- .../java/org/apache/sshd/server/session/ServerUserAuthService.java | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/sshd-core/src/main/java/org/apache/sshd/server/session/AbstractServerSession.java b/sshd-core/src/main/java/org/apache/sshd/server/session/AbstractServerSession.java index b7970aae5..25108ce7e 100644 --- a/sshd-core/src/main/java/org/apache/sshd/server/session/AbstractServerSession.java +++ b/sshd-core/src/main/java/org/apache/sshd/server/session/AbstractServerSession.java @@ -354,7 +354,7 @@ public abstract class AbstractServerSession extends AbstractSession implements S } // TODO: can services be initiated by the server-side ? - disconnect(SshConstants.SSH2_DISCONNECT_PROTOCOL_ERROR, + disconnect(SshConstants.SSH2_DISCONNECT_SERVICE_NOT_AVAILABLE, "Unsupported packet: SSH_MSG_SERVICE_ACCEPT for " + serviceName); } diff --git a/sshd-core/src/main/java/org/apache/sshd/server/session/ServerUserAuthService.java b/sshd-core/src/main/java/org/apache/sshd/server/session/ServerUserAuthService.java index 06b44d593..5bc922f9f 100644 --- a/sshd-core/src/main/java/org/apache/sshd/server/session/ServerUserAuthService.java +++ b/sshd-core/src/main/java/org/apache/sshd/server/session/ServerUserAuthService.java @@ -268,7 +268,7 @@ public class ServerUserAuthService extends AbstractCloseable implements Service, } if (disconnectSession) { - session.disconnect(SshConstants.SSH2_DISCONNECT_PROTOCOL_ERROR, + session.disconnect(SshConstants.SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE, "Too many authentication failures: " + nbAuthRequests); return false; } @@ -294,7 +294,7 @@ public class ServerUserAuthService extends AbstractCloseable implements Service, } if (disconnectSession) { - session.disconnect(SshConstants.SSH2_DISCONNECT_PROTOCOL_ERROR, + session.disconnect(SshConstants.SSH2_DISCONNECT_ILLEGAL_USER_NAME, "Change of username or service is not allowed (" + this.authUserName + ", " + this.authService + ")" + " -> (" + username + ", " + service + ")"); } else {
