Menu

#136 Identification string invalid based on RFC4253

v1.0 (example)
open
nobody
None
5
2022-02-19
2022-02-10
John Giltner
No

JSCH string:

  SSH-2.0-JSCH-0.1.54

The minus sign after the string "JSCH" is invalid and according to the RFC MUST be a valid US-ASCII character other than whitespace or minus.

Section 4.2of RFC 4253 starts with:

When the connection has been established, both sides MUST send an
   identification string.  This identification string MUST be
      SSH-protoversion-softwareversion SP comments CR LF

Later on it states:

   Both the 'protoversion' and 'softwareversion' strings MUST consist of
   printable US-ASCII characters, with the exception of whitespace
   characters and the minus sign (-).  The 'softwareversion' string is
   primarily used to trigger compatibility extensions and to indicate
   the capabilities of an implementation.  The 'comments' string SHOULD
   contain additional information that might be useful in solving user
   problems.  As such, an example of a valid identification string is

      SSH-2.0-billsSSH_3.6.3q3<CR><LF>

Discussion

  • Wyatt

    Wyatt - 2022-02-18

    There are two related issues here, both of which prevent connecting to Microsoft's Azure SFTP server, and presumably others which are strict to the RFCs. The client version string as listed above, and using a single LF vs. CR+LF after it. Fixing these two issues allows connection to Azure.

    Both changes are in Session.java.

    Line 71:
    private byte[] V_C=Util.str2byte("SSH-2.0-JSCH-"+JSch.VERSION); // client version

    needs to change to:

    private byte[] V_C=Util.str2byte("SSH-2.0-JSCH_"+JSch.VERSION); // client version

    (The difference is an underscore instead of a dash after 'JSCH').

    Line 253:
    byte[] foo=new byte[V_C.length+1];
    System.arraycopy(V_C, 0, foo, 0, V_C.length);
    foo[foo.length-1]=(byte)'\n';

    needs to change to

    byte[] foo=new byte[V_C.length+2];
    System.arraycopy(V_C, 0, foo, 0, V_C.length);
    foo[foo.length-2]=(byte)0x0D;
    foo[foo.length-1]=(byte)'\n';

    (the variable 'foo' needs to be V_C.length + 2 instead of +1, and then we insert 0x0D as the second to last byte.)

    After making these two changes I confirmed that the library works uploading to Azure SFTP.

    (I know the JSCH project is reluctant to accept any code due to copyright issues - I hereby release any and all copyright on the changes I made, and give full rights to the JSCH project.)

     

  • John Giltner

    John Giltner - 2022-02-19

    Thanks for updating with the <lf> vs. <crlf> issue. We just noticed this and I was getting ready to update when I saw your post. </crlf></lf>

     

Log in to post a comment.