bin/179619: 9-STABLE sshd negotiates unsupported cipher

Christian Weisgerber naddy at FreeBSD.org
Sun Jun 16 15:00:00 UTC 2013 

>Number:         179619
>Category:       bin
>Synopsis:       9-STABLE sshd negotiates unsupported cipher
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jun 16 15:00:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Christian Weisgerber
>Release:        FreeBSD 9.1-STABLE amd64
>Organization:
>Environment:
System: FreeBSD lorvorc.mips.inka.de 9.1-STABLE FreeBSD 9.1-STABLE #0 r251468: Thu Jun 6 17:02:46 CEST 2013 naddy at lorvorc.mips.inka.de:/usr/obj/usr/src/sys/GENERIC amd64

OpenSSH_6.2p2, OpenSSL 0.9.8y 5 Feb 2013, on FreeBSD 9-STABLE.

This version of OpenSSL does not support AES-GCM, so OpenSSH is built
with #undef OPENSSL_HAVE_EVPGCM there.

>Description:

Let's try to connect to a 9-STABLE box from a host that does support
AES-GCM:

$ ssh -c aes128-gcm at openssh.com,aes128-ctr lorvorc    
Connection closed by 2001:6f8:124a::5

Odd.

$ ssh -v -c aes128-gcm at openssh.com,aes128-ctr lorvorc
OpenSSH_6.2, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /home/naddy/.ssh/config
debug1: /home/naddy/.ssh/config line 34: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to lorvorc [2001:6f8:124a::5] port 22.
debug1: Connection established.
debug1: identity file /home/naddy/.ssh/id_rsa type -1
debug1: identity file /home/naddy/.ssh/id_rsa-cert type -1
debug1: identity file /home/naddy/.ssh/id_dsa type -1
debug1: identity file /home/naddy/.ssh/id_dsa-cert type -1
debug1: identity file /home/naddy/.ssh/id_ecdsa type -1
debug1: identity file /home/naddy/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version
OpenSSH_6.2_hpn13v11 FreeBSD-20130515
debug1: match: OpenSSH_6.2_hpn13v11 FreeBSD-20130515 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-gcm at openssh.com <implicit> none
debug1: kex: client->server aes128-gcm at openssh.com <implicit> none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection closed by 2001:6f8:124a::5

On the 9-STABLE box, auth.log says:

Jun  9 02:39:49 lorvorc sshd[98792]: fatal: matching cipher is not supported: aes128-gcm at openssh.com [preauth]

sshd should not match a cipher it doesn't actually support!

>How-To-Repeat:

See above.

>Fix:

Index: crypto/openssh/myproposal.h
===================================================================
--- crypto/openssh/myproposal.h	(revision 251468)
+++ crypto/openssh/myproposal.h	(working copy)
@@ -71,10 +71,16 @@
 	"ssh-rsa," \
 	"ssh-dss"
 
+#ifdef OPENSSL_HAVE_EVPGCM
+# define AESGCM_CIPHER_MODES \
+	"aes128-gcm at openssh.com,aes256-gcm at openssh.com,"
+#else
+# define AESGCM_CIPHER_MODES
+#endif
 #define	KEX_DEFAULT_ENCRYPT \
 	"aes128-ctr,aes192-ctr,aes256-ctr," \
 	"arcfour256,arcfour128," \
-	"aes128-gcm at openssh.com,aes256-gcm at openssh.com," \
+	AESGCM_CIPHER_MODES \
 	"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
 	"aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se"
 #ifdef	NONE_CIPHER_ENABLED


For FreeBSD 9-STABLE, changing the "Ciphers" description in
ssh_config.5 and sshd_config.5 to match might be an additional
consideration.

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list