OpenSSH 6.5 broken(?)
Dennis Glatting
freebsd at pki2.com
Fri Mar 7 02:15:18 UTC 2014
For those interested, I received this response from the OpenSSH
bugzilla. I tested the KexAlgorithms mentioned and it resolved the
problem for now.
-------- Forwarded Message --------
From: bugzilla-daemon at mindrot.org
To: openssh at pki2.com
Subject: [Bug 2209] Problem logging into Cisco devices under 6.5p1
(kexgexc.c)
Date: Fri, 07 Mar 2014 01:54:17 +0000
https://bugzilla.mindrot.org/show_bug.cgi?id=2209
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at zip.com.au
--- Comment #1 from Darren Tucker <dtucker at zip.com.au> ---
The problem is Cisco does not correctly implement RFC4419, specifically
when asked for a preferred group size larger than its largest group it
fails rather than returning a group it does have that's within the
allowed min/max bounds.
There's been some discussion on the mailing list:
http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-January/032037.html
http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-February/032177.html
Non-code workaround: "KexAlgorithms
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" in
~/.ssh/config for the device in question.
--
You are receiving this mail because:
You reported the bug.
On Thu, 2014-03-06 at 17:22 -0800, Dennis Glatting wrote:
> With the upgrade to 6.5 I can no longer log into Cisco devices. I traced
> the problem down to the code fragment below, which was a change made in
> late January.
>
> During the key exchange under 6.5 this is a clue:
>
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<8192<8192) sent
>
> Compared to 6.2:
>
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<4096<8192) sent
>
> I reverted the patch in my source and the problem goes away. I do not
> know if that was the correct thing to do.
>
>
>
>
> Index: kexgexc.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/kexgexc.c,v
> retrieving revision 1.15
> diff -u -p -r1.15 kexgexc.c
> --- kexgexc.c 12 Jan 2014 08:13:13 -0000 1.15
> +++ kexgexc.c 25 Jan 2014 10:04:23 -0000
> @@ -55,7 +55,7 @@ kexgex_client(Kex *kex)
> int min, max, nbits;
> DH *dh;
>
> - nbits = dh_estimate(kex->we_need * 8);
> + nbits = dh_estimate(kex->dh_need * 8);
>
> if (datafellows & SSH_OLD_DHGEX) {
> /* Old GEX request */
>
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list