bugzilla-daemon at mindrot.org
2014-Mar-07 01:35 UTC
[Bug 2209] New: Problem logging into Cisco devices under 6.5p1 (kexgexc.c)
https://bugzilla.mindrot.org/show_bug.cgi?id=2209
Bug ID: 2209
Summary: Problem logging into Cisco devices under 6.5p1
(kexgexc.c)
Product: Portable OpenSSH
Version: 6.5p1
Hardware: amd64
OS: FreeBSD
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: openssh at pki2.com
With the upgrade to 6.5 under FreeBSD I can no longer log into Cisco
devices. I traced the problem down to the code fragment below, which
was a change made in late January.
During the key exchange under 6.5 this is a clue:
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<8192<8192) sent
Compared to 6.2:
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<4096<8192) sent
I reverted the patch in my source and the problem goes away. I am
unfamiliar with the OpenSSH source so I do not know what is the correct
thing to do.
Index: kexgexc.c
==================================================================RCS file:
/cvs/src/usr.bin/ssh/kexgexc.c,v
retrieving revision 1.15
diff -u -p -r1.15 kexgexc.c
--- kexgexc.c 12 Jan 2014 08:13:13 -0000 1.15
+++ kexgexc.c 25 Jan 2014 10:04:23 -0000
@@ -55,7 +55,7 @@ kexgex_client(Kex *kex)
int min, max, nbits;
DH *dh;
- nbits = dh_estimate(kex->we_need * 8);
+ nbits = dh_estimate(kex->dh_need * 8);
if (datafellows & SSH_OLD_DHGEX) {
/* Old GEX request */
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Mar-07 01:54 UTC
[Bug 2209] Problem logging into Cisco devices under 6.5p1 (kexgexc.c)
https://bugzilla.mindrot.org/show_bug.cgi?id=2209
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at zip.com.au
--- Comment #1 from Darren Tucker <dtucker at zip.com.au> ---
The problem is Cisco does not correctly implement RFC4419, specifically
when asked for a preferred group size larger than its largest group it
fails rather than returning a group it does have that's within the
allowed min/max bounds.
There's been some discussion on the mailing list:
http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-January/032037.html
http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-February/032177.html
Non-code workaround: "KexAlgorithms
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" in
~/.ssh/config for the device in question.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-Apr-15 06:07 UTC
[Bug 2209] Problem logging into Cisco devices under 6.5p1 (kexgexc.c)
https://bugzilla.mindrot.org/show_bug.cgi?id=2209
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2360
--- Comment #2 from Darren Tucker <dtucker at zip.com.au> ---
Could you please paste the server's banner? If you run "ssh -v
yourserver" you'll see a line something like:
debug1: Remote protocol version 1.99, remote software version
OpenSSH_6.4
If we know exactly what implementation the remote device reports then
we can add a work-around for it.
Thanks.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-May-22 03:25 UTC
[Bug 2209] Problem logging into Cisco devices under 6.5p1 (kexgexc.c)
https://bugzilla.mindrot.org/show_bug.cgi?id=2209 --- Comment #3 from Darren Tucker <dtucker at zip.com.au> --- I found the banner information for at least on affected implementation in this redhat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1053107 debug1: Remote protocol version 1.99, remote software version Cisco-1.25 debug1: no match: Cisco-1.25 It is not clear to me which versions are affected though. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2015-May-22 03:41 UTC
[Bug 2209] Problem logging into Cisco devices under 6.5p1 (kexgexc.c)
https://bugzilla.mindrot.org/show_bug.cgi?id=2209
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
Attachment #2627| |ok?(djm at mindrot.org)
Flags| |
--- Comment #4 from Darren Tucker <dtucker at zip.com.au> ---
Created attachment 2627
--> https://bugzilla.mindrot.org/attachment.cgi?id=2627&action=edit
Cap DH-GEX sizes for buggy Cisco servers.
Compiled but otherwise untested, I don't have access to the affected
equipment.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2015-May-22 10:38 UTC
[Bug 2209] Problem logging into Cisco devices under 6.5p1 (kexgexc.c)
https://bugzilla.mindrot.org/show_bug.cgi?id=2209
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2627|0 |1
is obsolete| |
Attachment #2627|ok?(djm at mindrot.org) |
Flags| |
Attachment #2629| |ok?(djm at mindrot.org)
Flags| |
--- Comment #5 from Darren Tucker <dtucker at zip.com.au> ---
Created attachment 2629
--> https://bugzilla.mindrot.org/attachment.cgi?id=2629&action=edit
Cap DH-GEX sizes for buggy Cisco servers.
adjusted group size in the wrong direction (MIN vs MAX). Updated patch
attached.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-May-22 10:42 UTC
[Bug 2209] Problem logging into Cisco devices under 6.5p1 (kexgexc.c)
https://bugzilla.mindrot.org/show_bug.cgi?id=2209
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2629|ok?(djm at mindrot.org) |ok+
Flags| |
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-May-26 23:13 UTC
[Bug 2209] Problem logging into Cisco devices under 6.5p1 (kexgexc.c)
https://bugzilla.mindrot.org/show_bug.cgi?id=2209 --- Comment #6 from Darren Tucker <dtucker at zip.com.au> --- Someone was able to give me access to two Ciscos, one with the bug and one without (thanks, Steinar!) and I was able to test the patch. Unfortunately they both have the same protocol banner, so we can't selectively blacklist only the affected implementations. $ ssh -vvv -o KexAlgorithms=diffie-hellman-group-exchange-sha1 cisco-with-bug [...] debug1: Remote protocol version 2.0, remote software version Cisco-1.25 debug1: no match: Cisco-1.25 [...] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<8192<8192) sent Connection closed by 2001:67c:29f4::19 $ ssh -vvv -o KexAlgorithms=diffie-hellman-group-exchange-sha1 -c aes256-cbc cisco-without-bug [...] debug1: Remote protocol version 2.0, remote software version Cisco-1.25 debug1: no match: Cisco-1.25 [...] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<8192<8192) sent debug1: got SSH2_MSG_KEX_DH_GEX_GROUP debug2: bits set: 2078/4096 With patch: $ ssh -vvv -o KexAlgorithms=diffie-hellman-group-exchange-sha1 cisco-with-bug [...] debug1: Remote protocol version 2.0, remote software version Cisco-1.25 debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x40000000 [...] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<4096<8192) sent debug1: got SSH2_MSG_KEX_DH_GEX_GROUP debug2: bits set: 2016/4096 $ ssh -vvv -o KexAlgorithms=diffie-hellman-group-exchange-sha1 -c aes256-cbc cisco-without-bug [...] debug1: Remote protocol version 2.0, remote software version Cisco-1.25 debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x40000000 [...] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<4096<8192) sent debug1: got SSH2_MSG_KEX_DH_GEX_GROUP debug2: bits set: 2087/4096 Looks like it works. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-May-26 23:13 UTC
[Bug 2209] Problem logging into Cisco devices under 6.5p1 (kexgexc.c)
https://bugzilla.mindrot.org/show_bug.cgi?id=2209
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|unassigned-bugs at mindrot.org |dtucker at zip.com.au
Status|NEW |ASSIGNED
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-May-26 23:24 UTC
[Bug 2209] Problem logging into Cisco devices under 6.5p1 (kexgexc.c)
https://bugzilla.mindrot.org/show_bug.cgi?id=2209
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #7 from Darren Tucker <dtucker at zip.com.au> ---
Patch has been applied and will be in the next release. Thanks!
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Nov-01 01:15 UTC
[Bug 2209] Problem logging into Cisco devices under 6.5p1 (kexgexc.c)
https://bugzilla.mindrot.org/show_bug.cgi?id=2209
Christoph Anton Mitterer <calestyo at scientia.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |calestyo at scientia.net
--- Comment #8 from Christoph Anton Mitterer <calestyo at scientia.net>
---
Just for my confirmation:
The banner message is sent already after the KEX has happened and thus
an attacker cannot do downgrade attacks, right?
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Nov-01 23:33 UTC
[Bug 2209] Problem logging into Cisco devices under 6.5p1 (kexgexc.c)
https://bugzilla.mindrot.org/show_bug.cgi?id=2209 --- Comment #9 from Darren Tucker <dtucker at zip.com.au> --- No, the banner is sent before the KEX (it's the first thing on the wire) but it is included in the exchange hash[0] which is later signed by the server as part of the DH key exchange, so it is protected from tampering by a MITM. [0] https://tools.ietf.org/html/rfc4253#section-8 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Aug-02 00:40 UTC
[Bug 2209] Problem logging into Cisco devices under 6.5p1 (kexgexc.c)
https://bugzilla.mindrot.org/show_bug.cgi?id=2209
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #10 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after 7.3p1 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
Seemingly Similar Threads
- one host only: ssh_dispatch_run_fatal
- Cisco vs. 6.9
- Connection stalls at debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
- Debian Stretch 9.6: openssh-server and old dropbear client don't work togheter
- Debian Stretch 9.6: openssh-server and old dropbear client don't work togheter