thr3ads.net - openssh unix dev - Private host key is sent instead of public in DH KEX? [Mar 2017]

If this information is useful, please help other people find it:
Share via:

Oleg NewYorker

2017-Mar-30 22:31 UTC

Private host key is sent instead of public in DH KEX?

Hello,

Can someone please tell me if I am right or wrong that in the code below
private key can be sent (in DH KEX) instead of public one (need_private is
0). Both keys are available (sensitive_data.host_keys[i] and
sensitive_data.host_pubkeys[i] are not NULL).
I hope I am just missing something here.

Thanks.

static Key *
get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh)
{
    int i;
    Key *key;

    for (i = 0; i < options.num_host_key_files; i++) {
        switch (type) {
        case KEY_RSA_CERT:
        case KEY_DSA_CERT:
        case KEY_ECDSA_CERT:
        case KEY_ED25519_CERT:
            key = sensitive_data.host_certificates[i];
            break;
        default:
            key = sensitive_data.host_keys[i];
            if (key == NULL && !need_private)
                key = sensitive_data.host_pubkeys[i];
            break;
        }
        if (key != NULL && key->type == type &&
            (key->type != KEY_ECDSA || key->ecdsa_nid == nid))
            return need_private ?
                sensitive_data.host_keys[i] : key;
    }
    return NULL;
}

Oleg NewYorker

2021-Jun-23 21:49 UTC

head link

Size of the Banner file allowed

Hi,

I was wondering what the max size of the banner file is and this is what I
found out:

It is explicitly limited by 1Mb here:
    if ((fd = open(options.banner, O_RDONLY)) == -1)
        return (NULL);
    if (fstat(fd, &st) == -1) {
        close(fd);
        return (NULL);
    }
    if (st.st_size <= 0 || st.st_size > 1*1024*1024) {
        close(fd);
        return (NULL);
    }


and by 256K here:

mm_request_receive(int sock, struct sshbuf *m)
{
    u_char buf[4], *p = NULL;
    u_int msg_len;
    int r;

    debug3("%s entering", __func__);

    if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) {
        if (errno == EPIPE)
            cleanup_exit(255);
        fatal("%s: read: %s", __func__, strerror(errno));
    }
    msg_len = PEEK_U32(buf);
    if (msg_len > 256 * 1024)
        fatal("%s: read: bad msg_len %d", __func__, msg_len);

while in reality it fails to send anything above ~25K over the socket:

debug3: mm_inform_authserv entering [preauth]
debug3: mm_request_send entering: type 4 [preauth]
debug3: mm_auth2_read_banner entering [preauth]
debug3: mm_request_send entering: type 10 [preauth]
debug3: mm_request_receive_expect entering: type 11 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authserv: service=ssh-connection, styledebug2: monitor_read: 4
used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
debug3: mm_request_send entering: type 11
mm_request_send: write: Broken pipe
debug1: do_cleanup
debug1: Killing privsep child 16723

Am I missing something or is there anything wrong with the Unix sockets in
our Linux (Yocto, 4.19)?

Thanks,

-Oleg

openssh unix dev - Mar 2017 - Private host key is sent instead of public in DH KEX?

Private host key is sent instead of public in DH KEX?

Size of the Banner file allowed