bugzilla-daemon at mindrot.org
2014-Jan-24 22:26 UTC
[Bug 2198] New: GSSAPIKeyExchange gssapi-keyex bug in kex.c choose_kex()
https://bugzilla.mindrot.org/show_bug.cgi?id=2198
Bug ID: 2198
Summary: GSSAPIKeyExchange gssapi-keyex bug in kex.c
choose_kex()
Product: Portable OpenSSH
Version: 6.4p1
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Kerberos support
Assignee: unassigned-bugs at mindrot.org
Reporter: staatsvr at afrl.hpc.mil
Created attachment 2400
--> https://bugzilla.mindrot.org/attachment.cgi?id=2400&action=edit
Possible fix for kex.c GSSAPIKeyExchange strcmp problem
Reported problem: Attempted connections from new 6.4p1 client to old
6.0p1 server fails when using "GSSAPIKeyExchange yes".
Client error message:
unsupported kex alg gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g=Server error message:
(nothing much useful, even with -ddd)
Cause:
In kex.c :: choose_kex() prior to 6.3p1 the search for Kex k->name was
performed using a mix of strcmp() and strncmp(). The strncmp() name
comparisons on just the leading part of the name were necessary for
KEX_GSS_GEX_SHA1_ID, KEX_GSS_GRP1_SHA1_ID, and KEX_GSS_GRP14_SHA1_ID.
Starting with 6.3.p1 and continuing in 6.4p1 and
openssh-SNAP-20140125.tar.gz kex.c moved to a kexalgs table with a
kex_alg_by_name() lookup. Since kex_alg_by_name() only uses strcmp,
the above kex algorith names fail to make an exact match. For example,
KEX_GSS_GEX_SHA1_ID = gss-gex-sha1- vs
k->name = gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g=
Proposed fix: Add strncmp() special cases for the KEX_GSS_* algorithms.
See example patch in attachments. Not elegant, but I think safe.
Note: Why not just use strncmp() in kex_alg_by_name(const char *name)
for all cases? But what if someday there's an algorithm name which is
a substring of another name?
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Jan-24 23:02 UTC
[Bug 2198] GSSAPIKeyExchange gssapi-keyex bug in kex.c choose_kex()
https://bugzilla.mindrot.org/show_bug.cgi?id=2198 --- Comment #1 from Vern Staats <staatsvr at afrl.hpc.mil> --- OOPS! My bad! This bug is relative to a non-standard patch for gssapi-keyex, not the main code. SORRY. I should have sent it to http://www.sxw.org.uk/computing/patches/openssh.html NEVERMIND... -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Jul-03 04:05 UTC
[Bug 2198] GSSAPIKeyExchange gssapi-keyex bug in kex.c choose_kex()
https://bugzilla.mindrot.org/show_bug.cgi?id=2198
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
CC| |djm at mindrot.org
Status|NEW |RESOLVED
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-Aug-11 13:05 UTC
[Bug 2198] GSSAPIKeyExchange gssapi-keyex bug in kex.c choose_kex()
https://bugzilla.mindrot.org/show_bug.cgi?id=2198
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Apparently Analagous Threads
- [Bug 3406] New: RSA key authentication doesn't work with enabled GSSAPIKeyExchange: sign_and_send_pubkey: internal error: initial hostkey not recorded
- [Bug 2553] New: 7.2p2 on server breaks GSSAPI with older clients
- GSSAPIKeyExchange and GSSAPIStrictAcceptorCheck
- How to remove group1 and group14 from OpenSSH..
- GSSAPI