openssh bugs - Feb 2024 - [Bug 3663] New: KEX host signature length wrong since strict kex introduced

https://bugzilla.mindrot.org/show_bug.cgi?id=3663

            Bug ID: 3663
           Summary: KEX host signature length wrong since strict kex
                    introduced
           Product: Portable OpenSSH
           Version: 9.6p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: neal.gooch at techmahindra.com

Created attachment 3786
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3786&action=edit
Wireshark decode of single packet

When running openssh-clients-8.0p1-19.el8_9.2.x86_64.rpm (Redhat
derivative which includes the strict kex changes in 9.6p1) we are
unable to using Putty v0.80 which includes its strict kex changes.

Putty reports ?Incorrect MAC received on packet?

This on its own doesn't say which end is at fault.

Wireshark decode of my SSH connection gives a Expert warning that the
KEX host signature (ssh-ed25519) has a host signature length of 83
bytes (packet length) but it decoded 19 bytes.

This leads me to think it is OpenSSH at fault.

Interestingly an ssh session from another server running the same
version of openssh doesn't spot this issue and will connect - so there
might be two issues - one the server end not building this packet
correctly and one on the client end not detecting it.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3663

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Sorry, but I don't follow your report. Are you saying that you're
connecting with PuTTY to OpenSSH sshd 8.0?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3663

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #2 from Darren Tucker <dtucker at dtucker.net> ---
Given that a) the problem is in strict kex and b) *our* 8.0p1 doesn't
have strict kex it sounds like the problem might be Redhat's patches to
8.0.  If so, you need to report the problem to Redhat.

Can you reproduce the problem with stock OpenSSH 9.6p1 compiled from
source?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3663

--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
BTW, our interop tests for 9.6p1 test against PuTTY's plink if it's
found at configure time.  (Older versions also had the tests, but they
needed to be manually enabled).

The tests don't report the plink version (and the tests run by the CI
will depend on what's on the runners Github supplies)  but at least
some of our private VMs have 0.80 and pass the tests:

$ cd openssh-9.6p1
$ ./configure && make interop-tests
[...]
run test putty-transfer.sh ...
putty transfer data: compression 0
putty transfer data: compression 1
ok putty transfer data
run test putty-ciphers.sh ...
putty ciphers: cipher aes
putty ciphers: cipher 3des 
putty ciphers: cipher aes128-ctr
putty ciphers: cipher aes192-ctr
putty ciphers: cipher aes256-ctr
putty ciphers: cipher chacha20
ok putty ciphers
run test putty-kex.sh ...
putty KEX: kex dh-gex-sha1
putty KEX: kex dh-group1-sha1
putty KEX: kex dh-group14-sha1
putty KEX: kex ecdh
ok putty KEX
[...]
all interop-tests passed

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3663

--- Comment #4 from Neal Gooch <neal.gooch at techmahindra.com> ---
Two updates:

1) Wireshark 4.2.2 (latest at time of writing) no longer gives that
expert warning (checked with original capture files) so this was a
red-herring and a Wireshark issue.

2) Oracle have removed openssh-8.0p1-19.el8_9.2.x86_64.rpm from their
yum repos....

So this looks to be an issue during backporting by either Redhat or
Oracle 

On this basis happy to close!

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3663

Neal Gooch <neal.gooch at techmahindra.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3663

--- Comment #5 from Darren Tucker <dtucker at dtucker.net> ---
I've also added some explicit PuTTY interop tests against a bunch of
PuTTY versions
(https://github.com/openssh/openssh-portable/actions/runs/7814553545,
assuming I didn't make a mistake in the change).

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.