OpenSSH 6.5 broken(?)

Fri Mar 7 02:15:18 UTC 2014

For those interested, I received this response from the OpenSSH
bugzilla. I tested the KexAlgorithms mentioned and it resolved the
problem for now.

-------- Forwarded Message --------
From: bugzilla-daemon at mindrot.org
To: openssh at pki2.com
Subject: [Bug 2209] Problem logging into Cisco devices under 6.5p1
(kexgexc.c)
Date: Fri, 07 Mar 2014 01:54:17 +0000

https://bugzilla.mindrot.org/show_bug.cgi?id=2209

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au

--- Comment #1 from Darren Tucker <dtucker at zip.com.au> ---
The problem is Cisco does not correctly implement RFC4419, specifically
when asked for a preferred group size larger than its largest group it
fails rather than returning a group it does have that's within the
allowed min/max bounds.

There's been some discussion on the mailing list:
http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-January/032037.html
http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-February/032177.html

Non-code workaround: "KexAlgorithms
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" in
~/.ssh/config for the device in question.

-- 
You are receiving this mail because:
You reported the bug.

On Thu, 2014-03-06 at 17:22 -0800, Dennis Glatting wrote:
> With the upgrade to 6.5 I can no longer log into Cisco devices. I traced
> the problem down to the code fragment below, which was a change made in
> late January.
> 
> During the key exchange under 6.5 this is a clue:
> 
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<8192<8192) sent
> 
> Compared to 6.2:
> 
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<4096<8192) sent
> 
> I reverted the patch in my source and the problem goes away. I do not
> know if that was the correct thing to do.
> 
> 
> 
> 
> Index: kexgexc.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/kexgexc.c,v
> retrieving revision 1.15
> diff -u -p -r1.15 kexgexc.c
> --- kexgexc.c	12 Jan 2014 08:13:13 -0000	1.15
> +++ kexgexc.c	25 Jan 2014 10:04:23 -0000
> @@ -55,7 +55,7 @@ kexgex_client(Kex *kex)
>  	int min, max, nbits;
>  	DH *dh;
>  
> -	nbits = dh_estimate(kex->we_need * 8);
> +	nbits = dh_estimate(kex->dh_need * 8);
>  
>  	if (datafellows & SSH_OLD_DHGEX) {
>  		/* Old GEX request */
> 
> 
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"