bugzilla-daemon at mindrot.org
2014-Apr-18 22:37 UTC
[Bug 2233] New: curve25519-sha256@libssh.org Signature Failures When 'sshd' Used with Dropbear Clients
https://bugzilla.mindrot.org/show_bug.cgi?id=2233 Bug ID: 2233 Summary: curve25519-sha256 at libssh.org Signature Failures When 'sshd' Used with Dropbear Clients Product: Portable OpenSSH Version: 6.6p1 Hardware: All OS: All Status: NEW Severity: major Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: throwaway.xy+opensshbugzilla at gmail.com Overview: When using the curve25519-sha256 at libssh.org kex algorithm, host key signature validation will sometimes fail between an OpenSSH 'sshd' server and dropbear-2014.63 clients. Steps to Reproduce: Download or build dropbear-2014.63 'dbclient' program. Run 'sshd' version 6.6p1 locally in one terminal: # grep -v "#" ./sshd_config | grep . PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys UsePrivilegeSeparation no # ssh-keygen -t rsa -N "" -q -f ./test-rsa-hostkey # $PWD/sshd -D -e -h $PWD/test-rsa-hostkey -p 1235 -f ./sshd_config In a second terminal run 'dbclient echo "hello"' commands in a loop: # ITER=1; echo "Start"; while [ $? -eq 0 ]; do let ITER=ITER+1; echo "$ITER"; ./dbclient -i ./test_id localhost/1235 echo "hello"; done Actual Results: Eventually the loop above will fail. Sometimes failure happens quickly, sometimes it can many iterations: ... 82 hello 83 hello 84 hello 85 ./dbclient: Connection to simonsj at localhost:1235 exited: Bad hostkey signature Expected Results: The loop should never fail with the 'Bad hostkey signature' error above. Build Date & Hardware: # git rev-parse HEAD 19158b2447e35838d69b2b735fb640d1e86061ea # git show V_6_6_P1 commit 19158b2447e35838d69b2b735fb640d1e86061ea Author: Damien Miller <djm at mindrot.org> Date: Thu Mar 13 13:14:21 2014 +1100 - (djm) Release OpenSSH 6.6 ... Additional Builds and Platforms: Also reproducible with 6.5p1. Additional Information: Originally discovered here: https://red.libssh.org/issues/159. My understanding of the actual bug is that OpenSSH is generating the shared secret bignum value 'K' in a way that is not expected by other implementations. I believe the problem is in 'buffer_put_bignum2_from_string' (used by 'kexc25519_shared_key'), as is mentioned here on the mailing list, with a patch to bufaux.c to fix: http://marc.info/?l=openssh-unix-dev&m=139699836815285&w=2 With the bufaux.c patch applied, I am no longer able to reproduce the failure. I believe this bug affects interop of 'curve25519-sha256 at libssh.org' going forward, so I've set Severity to 'major'. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Apr-19 00:28 UTC
[Bug 2233] curve25519-sha256@libssh.org Signature Failures When 'sshd' Used with Dropbear Clients
https://bugzilla.mindrot.org/show_bug.cgi?id=2233 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED CC| |djm at mindrot.org Blocks| |2226 --- Comment #1 from Damien Miller <djm at mindrot.org> --- Yes, there's a bug in 6.5 and 6.5 that causes one of the components of the shared secret to be encoded incorrectly in about 0.2% of cases. OpenSSH 6.7 will disable the curve25519 KEX when speaking to <6.7. I suggest that Dropbear do the same. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Apr-20 12:21 UTC
[Bug 2233] curve25519-sha256@libssh.org Signature Failures When 'sshd' Used with Dropbear Clients
https://bugzilla.mindrot.org/show_bug.cgi?id=2233 --- Comment #2 from Damien Miller <djm at mindrot.org> --- *** Bug 2232 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Oct-07 21:00 UTC
[Bug 2233] curve25519-sha256@libssh.org Signature Failures When 'sshd' Used with Dropbear Clients
https://bugzilla.mindrot.org/show_bug.cgi?id=2233 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #3 from Damien Miller <djm at mindrot.org> --- Close all bugs left open from 6.6 and 6.7 releases. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Seemingly Similar Threads
- [Bug 2232] New: curve25519-sha256@libssh.org Signature Failures When 'ssh' Used with Dropbear, libssh Servers
- [PATCH] curve25519-sha256@libssh.org key exchange proposal
- [PATCH] curve25519-sha256@libssh.org key exchange proposal
- [PATCH] curve25519-sha256@libssh.org key exchange proposal
- Debian Stretch 9.6: openssh-server and old dropbear client don't work togheter