Is OpenSSH sending an email to no-more-sessions@openssh.com every time I connect?

25

When I try to connect to my EC2 (Ubuntu 14.04.3) server with ssh -v server, I see this at the end of the log:

debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to <domain>.com ([192.168.1.42]:12345).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com  # <!-!-!-!-!-!- What's this?
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending env LC_CTYPE = en_US.UTF-8
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-55-generic x86_64)

This is my .ssh/config:

Host server
  HostName domain.com
  User myuser
  IdentityFile ~/path/to/EC2Key.pem
  Port <portnumber>

Which seems normal. I can see two possible reasons here:

  1. OpenSSH is trying to make a connection to openssh.com as a user no-more-sessions - but that doesn't make any sense either, why?
  2. OpenSSH is trying to send email to no-more-sessions@openssh.com. This makes even less sense, and both options seem a little creepy.

What's happening here?

Undo

Posted 2015-08-15T12:03:06.277

Reputation: 782

Answers

30

No, that's not an email address. The something@domain syntax is used in many other places, and SSHv2 uses it for naming all "nonstandard" extensions (ciphers, subsystems, and so on).

So this particular request has @openssh.com because it was invented by OpenSSH, and hasn't been made part of the "main" standard documents.

Its purpose is explained in the OpenSSH 5.1 release notes:

  • Added a no-more-sessions@openssh.com global request extension that is sent from ssh(1) to sshd(8) when the client knows that it will never request another session (i.e. when session multiplexing is disabled). This allows a server to disallow further session requests and terminate the session in cases where the client has been hijacked.

ProgramFOX

Posted 2015-08-15T12:03:06.277

Reputation: 484

4Indeed. In this case, it’s something like <thing>@<namespace>. Another related method is the reverse domain style (whatever it’s called): <namespace>.<thing> – Daniel B – 2015-08-15T12:39:50.313

Asked: 2015-08-15T12:03:06.277

Viewed: 13 134 times

Active: 2015-11-17T14:29:29.983