Fix Windows split sshd-session state flow

tgauth · tgauth · commit 8de26721737f · 2026-04-10T17:04:05.000-04:00
Keep banner exchange in sshd-auth for the split 10.3 flow and restore the post-auth monitor message ordering expected by the sshd-session -z child.

Also update the V_10_3_P1 conflict resolution notes with the successful elevated entra-id-debug-localhost validation result.
diff --git a/MERGE_V10_3_P1_CONFLICT_RESOLUTION.md b/MERGE_V10_3_P1_CONFLICT_RESOLUTION.md
@@ -88,12 +88,14 @@ Files:
 - contrib/win32/openssh/libssh.vcxproj
 - contrib/win32/openssh/unittest-*.vcxproj (multiple)
 - servconf.h
+- sshd-session.c
 
 Resolution:
 - Fixed Windows compile-scope issue in scp command execution path.
 - Ensured glob_t declarations are visible where required.
 - Synced project file source lists with current upstream/fork code split.
 - Applied type alignment in servconf struct field.
+- Corrected the Windows split-session privsep state flow so the post-auth `sshd-session -z` child reads the saved identification-exchange state before the authenticated user context.
 
 ## Validation Results
 
@@ -110,8 +112,10 @@ Resolution:
 
 ### Functionality test
 
-- Automated functionality test could not run in this environment due missing Administrator privileges.
-- Tool reported: Administrator privileges required for service install/user management.
+- Validation scenario used: `entra-id-debug-localhost`.
+- Ran `sshd.exe -ddd` elevated and validated with the rebuilt `ssh.exe` against `localhost`.
+- Result after the follow-up `sshd-session.c` fix: public-key authentication succeeded, `whoami` executed successfully, and the session exited with status 0.
+- Observed command output: `NORTHAMERICA+tessgauthier`.
 
 ## Notes for Review
 
diff --git a/sshd-session.c b/sshd-session.c
@@ -650,6 +650,7 @@ privsep_preauth(struct ssh *ssh)
 #ifdef FORK_NOT_SUPPORTED
 	if (privsep_auth_child) {
 		Authctxt *authctxt = ssh->authctxt;
+		recv_idexch_state(ssh, PRIVSEP_MONITOR_FD);
 		recv_autxctx_state(authctxt, PRIVSEP_MONITOR_FD);
 		authctxt->pw = getpwnamallow(ssh, authctxt->user);
 		authctxt->valid = 1;
@@ -1691,13 +1692,6 @@ main(int ac, char **av)
 
 	rdomain = ssh_packet_rdomain_in(ssh);
 
-#ifdef WINDOWS
-	if (privsep_auth_child) {
-		recv_idexch_state(ssh, PRIVSEP_MONITOR_FD);
-		goto idexch_done;
-	}
-#endif /* WINDOWS */
-
 	/* Log the connection. */
 	laddr = get_local_ipaddr(sock_in);
 	verbose("Connection from %s port %d on %s port %d%s%s%s",
@@ -1731,18 +1725,6 @@ main(int ac, char **av)
 			fatal("login grace time setitimer failed");
 	}
 
-	if ((r = kex_exchange_identification(ssh, -1,
-	    options.version_addendum)) != 0)
-#ifdef WINDOWS
-	{
-		send_kex_exch_exit_code_telemetry(r);
-#endif /* WINDOWS */
-		sshpkt_fatal(ssh, r, "banner exchange");
-#ifdef WINDOWS
-	}
-	send_kex_exch_exit_code_telemetry(0);
-#endif /* WINDOWS */
-idexch_done:
 	ssh_packet_set_nonblocking(ssh);
 
 	/* allocate authentication context */
