> Turns out the problem is the new protocol extension for sending host keysto> the client after user authentication (section 2.5 of the PROTOCOLS > document). Commenting out the notify_hostkeys() call in sshd.c fixes the > issues with Cisco scp. Maybe a new bug compatibility flag in on order to > add to the "Cisco-1.*" client string that was added in 6.9?There's already a flag... just need to add SSH_BUG_HOSTKEYS to "Cisco-1.*" in compat.c. Howard -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5583 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150728/1179a864/attachment-0001.bin>
On Tue, 28 Jul 2015, Kash, Howard M CIV USARMY ARL (US) wrote:> > Turns out the problem is the new protocol extension for sending host keys > to > > the client after user authentication (section 2.5 of the PROTOCOLS > > document). Commenting out the notify_hostkeys() call in sshd.c fixes the > > issues with Cisco scp. Maybe a new bug compatibility flag in on order to > > add to the "Cisco-1.*" client string that was added in 6.9? > > There's already a flag... just need to add SSH_BUG_HOSTKEYS to "Cisco-1.*" > in compat.c.Done - this will be in openssh-7.0
On Tue, Jul 28, 2015 at 04:20:34PM +0000, Kash, Howard M CIV USARMY ARL (US) wrote:> > Turns out the problem is the new protocol extension for sending host keys > to > > the client after user authentication (section 2.5 of the PROTOCOLS > > document). Commenting out the notify_hostkeys() call in sshd.c fixes the > > issues with Cisco scp. Maybe a new bug compatibility flag in on order to > > add to the "Cisco-1.*" client string that was added in 6.9? > > There's already a flag... just need to add SSH_BUG_HOSTKEYS to "Cisco-1.*" > in compat.c.Like so? Index: compat.c ==================================================================RCS file: /cvs/src/usr.bin/ssh/compat.c,v retrieving revision 1.95 diff -u -p -r1.95 compat.c --- compat.c 13 Jul 2015 04:57:14 -0000 1.95 +++ compat.c 28 Jul 2015 23:22:07 -0000 @@ -150,7 +150,7 @@ compat_datafellows(const char *version) "1.2.22*", SSH_BUG_IGNOREMSG }, { "1.3.2*", /* F-Secure */ SSH_BUG_IGNOREMSG }, - { "Cisco-1.*", SSH_BUG_DHGEX_LARGE }, + { "Cisco-1.*", SSH_BUG_DHGEX_LARGE|SSH_BUG_HOSTKEYS }, { "*SSH Compatible Server*", /* Netscreen */ SSH_BUG_PASSWORDPAD }, { "*OSU_0*," -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Kash, Howard M CIV USARMY ARL (US) wrote:>> Turns out the problem is the new protocol extension for sending host keys > to >> the client after user authentication (section 2.5 of the PROTOCOLS >> document). Commenting out the notify_hostkeys() call in sshd.c fixes the >> issues with Cisco scp. Maybe a new bug compatibility flag in on order to >> add to the "Cisco-1.*" client string that was added in 6.9? > There's already a flag... just need to add SSH_BUG_HOSTKEYS to "Cisco-1.*" > in compat.c. > > > HowardMaking this change works great for me -- one of the three pieces need to allow the ssh (and scp) clients on Cisco devices to talk to OpenSSH 6.9p1. -- Jeff Wieland | Purdue University Network Systems Administrator | ITIS UNIX Platforms Voice: (765)496-8234 | 155 S. Grant Street FAX: (765)496-1380 | West Lafayette, IN 47907
On Wed, Jul 29, 2015 at 12:41 PM, Jeff Wieland <wieland at purdue.edu> wrote: [...]> Making this change works great for meDamien beat me to to it and the diff has already been committed and will be in 7.0.> -- one of the three pieces need to allow the ssh > (and scp) clients on Cisco devices to talk to OpenSSH 6.9p1.I'm aware of one other (the one where Ciscos choke on large DH-GEX requests[1]). What's the third (or other two, if there's something else)? [1] https://anongit.mindrot.org/openssh.git/commit/?id=b282fec1aa05246ed3482270eb70fc3ec5f39a00 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.