This is an automated email from the ASF dual-hosted git repository. twolf pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/mina-sshd.git
commit 023729c80be3a95f363a07d58e2de6c719dbcbe9 Author: Thomas Wolf <[email protected]> AuthorDate: Sat Oct 11 17:46:06 2025 +0200 Use more appropriate disconnect reason codes In too many places the general SSH2_DISCONNECT_PROTOCOL_ERROR was used, which gives a potentially misleading message to the client. Use other error reason codes that enable transporting custom messages. (With "protocol error" or "mac error" we always send a fixed message because of CVE-2008-1561.) --- .../java/org/apache/sshd/server/session/AbstractServerSession.java | 2 +- .../java/org/apache/sshd/server/session/ServerUserAuthService.java | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/sshd-core/src/main/java/org/apache/sshd/server/session/AbstractServerSession.java b/sshd-core/src/main/java/org/apache/sshd/server/session/AbstractServerSession.java index b7970aae5..25108ce7e 100644 --- a/sshd-core/src/main/java/org/apache/sshd/server/session/AbstractServerSession.java +++ b/sshd-core/src/main/java/org/apache/sshd/server/session/AbstractServerSession.java @@ -354,7 +354,7 @@ public abstract class AbstractServerSession extends AbstractSession implements S } // TODO: can services be initiated by the server-side ? - disconnect(SshConstants.SSH2_DISCONNECT_PROTOCOL_ERROR, + disconnect(SshConstants.SSH2_DISCONNECT_SERVICE_NOT_AVAILABLE, "Unsupported packet: SSH_MSG_SERVICE_ACCEPT for " + serviceName); } diff --git a/sshd-core/src/main/java/org/apache/sshd/server/session/ServerUserAuthService.java b/sshd-core/src/main/java/org/apache/sshd/server/session/ServerUserAuthService.java index 06b44d593..de51b0a77 100644 --- a/sshd-core/src/main/java/org/apache/sshd/server/session/ServerUserAuthService.java +++ b/sshd-core/src/main/java/org/apache/sshd/server/session/ServerUserAuthService.java @@ -268,7 +268,7 @@ public class ServerUserAuthService extends AbstractCloseable implements Service, } if (disconnectSession) { - session.disconnect(SshConstants.SSH2_DISCONNECT_PROTOCOL_ERROR, + session.disconnect(SshConstants.SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE, "Too many authentication failures: " + nbAuthRequests); return false; } @@ -294,9 +294,9 @@ public class ServerUserAuthService extends AbstractCloseable implements Service, } if (disconnectSession) { - session.disconnect(SshConstants.SSH2_DISCONNECT_PROTOCOL_ERROR, + session.disconnect(SshConstants.SSH2_DISCONNECT_ILLEGAL_USER_NAME, "Change of username or service is not allowed (" + this.authUserName + ", " + this.authService + ")" - + " -> (" + username + ", " + service + ")"); + + " -> (" + username + ", " + service + ")"); } else { if (debugEnabled) { log.debug(
