9

Every few hours, I get a few of those in my server logs:

sshd[...]: Disconnecting: Change of username or service not allowed: (httpd,ssh-connection) -> (http,ssh-connection) [preauth]
sshd[...]: Disconnecting: Change of username or service not allowed: (identd,ssh-connection) -> (ident,ssh-connection) [preauth]
sshd[...]: Disconnecting: Change of username or service not allowed: (administrator,ssh-connection) -> (admin,ssh-connection) [preauth]
sshd[...]: Disconnecting: Change of username or service not allowed: (admins,ssh-connection) -> (admin,ssh-connection) [preauth]
sshd[...]: Disconnecting: Change of username or service not allowed: (admissions,ssh-connection) -> (adm,ssh-connection) [preauth]

...other attempts of the same kind: tony -> to, users -> user, wwwrun -> www, ...

Apparently, someone tries to confuse my ssh daemon by first identifying himself as foo and then as somePrefixOfFoo (without success, obviously).

Is or was there some specific vulnerability in SSH which would allow such an attack to succeed?

Jakuje
  • 5,229
  • 16
  • 31
Heinzi
  • 2,914
  • 2
  • 21
  • 25

1 Answers1

10

I don't think, there was any vulnerability in this, at least not in openssh. The code resulting in this error was added in this commit and it is referencing recommendation from ietf-drafts. Probably RFC4252, which states today:

The 'user name' and 'service name' are repeated in every new authentication attempt, and MAY change. The server implementation MUST carefully check them in every message, and MUST flush any accumulated authentication states if they change. If it is unable to flush an authentication state, it MUST disconnect if the 'user name' or 'service name' changes.

So I believe it is the highlighted case.

Jakuje
  • 5,229
  • 16
  • 31