openssh unix dev - Jul 2001 - Patch to workaround host key size mismatch bug in old SSH sshd

Below is a patch against the current OpenBSD OpenSSH CVS to workaround a
behavior I have observed when converting from SSH 1.2.27 to OpenSSH while
using the same old RSA1 host key for protocol 1.  In several cases I saw
that old SSH sshd reported a host key size of 1024 bits when OpenSSH saw it
as 1023 bits.  Without the patch, when OpenSSH's ssh client connects to an
old SSH sshd it warns that the server lies about the size, and when an old
SSH ssh client connects to an OpenSSH sshd it reports the dreaded "WARNING:
HOST IDENTIFICATION HAS CHANGED! IT IS POSSIBLE THAT SOMEONE IS DOING
SOMETHING NASTY!"   An OpenSSH ssh client conveniently ignores the key size
in ~/.ssh/authorized_keys (in a kind of convoluted way, I might add) so it
doesn't care that the key size reported by OpenSSH sshd is 1023 even if
authorized_keys says it's 1024.

A pleasant side effect of this patch is that compat.c no longer prints the
disconcerting debug message "no match" when communicating with SSH
1.2.23
through 1.2.31.

- Dave Dykstra


--- compat.h.O	Thu Jul  5 10:49:47 2001
+++ compat.h	Thu Jul  5 10:50:04 2001
@@ -50,6 +50,7 @@
 #define SSH_BUG_HBSERVICE	0x00010000
 #define SSH_BUG_OPENFAILURE	0x00020000
 #define SSH_BUG_DERIVEKEY	0x00040000
+#define SSH_BUG_SERVERLIESSIZE	0x00080000
 
 void     enable_compat13(void);
 void     enable_compat20(void);
--- compat.c.O	Thu Jul  5 10:49:21 2001
+++ compat.c	Thu Jul  5 10:49:27 2001
@@ -105,6 +105,8 @@
 		{ "^1\\.7 SecureFX",	SSH_OLD_SESSIONID },
 		{ "^1\\.2\\.1[89]",	SSH_BUG_IGNOREMSG },
 		{ "^1\\.2\\.2[012]",	SSH_BUG_IGNOREMSG },
+		{ "^1\\.2\\.2[3-9]",	SSH_BUG_SERVERLIESSIZE },
+		{ "^1\\.2\\.3[0-1]",	SSH_BUG_SERVERLIESSIZE },
 		{ "^1\\.3\\.2",		SSH_BUG_IGNOREMSG },	/* f-secure */
 		{ "^SSH Compatible Server",			/* Netscreen */
 					SSH_BUG_PASSWORDPAD },
--- sshconnect1.c.O	Thu Jul  5 10:49:13 2001
+++ sshconnect1.c	Thu Jul  5 10:49:28 2001
@@ -37,6 +37,7 @@
 #include "packet.h"
 #include "mpaux.h"
 #include "uidswap.h"
+#include "compat.h"
 #include "log.h"
 #include "readconf.h"
 #include "key.h"
@@ -960,7 +961,8 @@
 	sum_len += clen;
 
 	rbits = BN_num_bits(host_key->n);
-	if (bits != rbits) {
+	if (bits != rbits &&
+	    !((datafellows & SSH_BUG_SERVERLIESSIZE) && (rbits + 1 ==
bits))) {
 		log("Warning: Server lies about size of server host key: "
 		    "actual size is %d bits vs. announced %d.", rbits, bits);
 		log("Warning: This may be due to an old implementation of ssh.");
--- sshd.c.O	Thu Jul  5 10:49:10 2001
+++ sshd.c	Thu Jul  5 10:49:27 2001
@@ -1217,7 +1217,12 @@
 	packet_put_bignum(sensitive_data.server_key->rsa->n);
 
 	/* Store our public host RSA key. */
-	packet_put_int(BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
+	len = BN_num_bits(sensitive_data.ssh1_host_key->rsa->n);
+	if ((datafellows & SSH_BUG_SERVERLIESSIZE) && (len & 1)) {
+	    /* old ssh client expects even number for host key */
+	    len += 1;
+	}
+	packet_put_int(len);
 	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->e);
 	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->n);

Markus,

Do you want to include this patch before the next release?

I checked the current CVS and the code around the patch hasn't appeared
to change so the patch should still apply cleanly.

- Dave Dykstra

On Thu, Jul 05, 2001 at 10:59:25AM -0500, Dave Dykstra
wrote:
> Below is a patch against the current OpenBSD OpenSSH CVS to workaround a
> behavior I have observed when converting from SSH 1.2.27 to OpenSSH while
> using the same old RSA1 host key for protocol 1.  In several cases I saw
> that old SSH sshd reported a host key size of 1024 bits when OpenSSH saw it
> as 1023 bits.  Without the patch, when OpenSSH's ssh client connects to
an
> old SSH sshd it warns that the server lies about the size, and when an old
> SSH ssh client connects to an OpenSSH sshd it reports the dreaded
"WARNING:
> HOST IDENTIFICATION HAS CHANGED! IT IS POSSIBLE THAT SOMEONE IS DOING
> SOMETHING NASTY!"   An OpenSSH ssh client conveniently ignores the key
size
> in ~/.ssh/authorized_keys (in a kind of convoluted way, I might add) so it
> doesn't care that the key size reported by OpenSSH sshd is 1023 even if
> authorized_keys says it's 1024.
> 
> A pleasant side effect of this patch is that compat.c no longer prints the
> disconcerting debug message "no match" when communicating with
SSH 1.2.23
> through 1.2.31.
> 
> - Dave Dykstra
> 
> 
> --- compat.h.O	Thu Jul  5 10:49:47 2001
> +++ compat.h	Thu Jul  5 10:50:04 2001
> @@ -50,6 +50,7 @@
>  #define SSH_BUG_HBSERVICE	0x00010000
>  #define SSH_BUG_OPENFAILURE	0x00020000
>  #define SSH_BUG_DERIVEKEY	0x00040000
> +#define SSH_BUG_SERVERLIESSIZE	0x00080000
>  
>  void     enable_compat13(void);
>  void     enable_compat20(void);
> --- compat.c.O	Thu Jul  5 10:49:21 2001
> +++ compat.c	Thu Jul  5 10:49:27 2001
> @@ -105,6 +105,8 @@
>  		{ "^1\\.7 SecureFX",	SSH_OLD_SESSIONID },
>  		{ "^1\\.2\\.1[89]",	SSH_BUG_IGNOREMSG },
>  		{ "^1\\.2\\.2[012]",	SSH_BUG_IGNOREMSG },
> +		{ "^1\\.2\\.2[3-9]",	SSH_BUG_SERVERLIESSIZE },
> +		{ "^1\\.2\\.3[0-1]",	SSH_BUG_SERVERLIESSIZE },
>  		{ "^1\\.3\\.2",		SSH_BUG_IGNOREMSG },	/* f-secure */
>  		{ "^SSH Compatible Server",			/* Netscreen */
>  					SSH_BUG_PASSWORDPAD },
> --- sshconnect1.c.O	Thu Jul  5 10:49:13 2001
> +++ sshconnect1.c	Thu Jul  5 10:49:28 2001
> @@ -37,6 +37,7 @@
>  #include "packet.h"
>  #include "mpaux.h"
>  #include "uidswap.h"
> +#include "compat.h"
>  #include "log.h"
>  #include "readconf.h"
>  #include "key.h"
> @@ -960,7 +961,8 @@
>  	sum_len += clen;
>  
>  	rbits = BN_num_bits(host_key->n);
> -	if (bits != rbits) {
> +	if (bits != rbits &&
> +	    !((datafellows & SSH_BUG_SERVERLIESSIZE) && (rbits + 1 ==
bits))) {
>  		log("Warning: Server lies about size of server host key: "
>  		    "actual size is %d bits vs. announced %d.", rbits, bits);
>  		log("Warning: This may be due to an old implementation of
ssh.");
> --- sshd.c.O	Thu Jul  5 10:49:10 2001
> +++ sshd.c	Thu Jul  5 10:49:27 2001
> @@ -1217,7 +1217,12 @@
>  	packet_put_bignum(sensitive_data.server_key->rsa->n);
>  
>  	/* Store our public host RSA key. */
> -	packet_put_int(BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
> +	len = BN_num_bits(sensitive_data.ssh1_host_key->rsa->n);
> +	if ((datafellows & SSH_BUG_SERVERLIESSIZE) && (len & 1))
{
> +	    /* old ssh client expects even number for host key */
> +	    len += 1;
> +	}
> +	packet_put_int(len);
>  	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->e);
>  	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->n);
>