-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability description indicates an information leak where attackers can test if a username/public key combination is known to the server. This happens because a challenge (SSH2_MSG_USERAUTH_PK_OK) is sent only when the combination could be valid. The provided pull request and commit details show that the fix involves adding a server-side option PubkeyDisablePKCheck. The primary change is in auth2-pubkey.c, within the userauth_pubkey function. Before the patch, this function would, for a SSH_MSG_USERAUTH_REQUEST without a signature (a 'key check' or 'probe'), call user_key_allowed and if it returned true, send SSH2_MSG_USERAUTH_PK_OK. This is the information leak. The patch adds a check for options.pubkey_disable_pk_check to skip this logic if the option is enabled, thereby preventing the server from confirming the key's validity without a signature. The function userauth_pubkey in auth2-pubkey.c is therefore the vulnerable function as it processes the potentially malicious probe and, in its original form, leaks the information. The linked code snippet in the vulnerability details (auth2-pubkey.c#L261-L265) also points directly to a comment within this function highlighting the potential issue.