Dear all, while playing around with openssh-4.1p1 (trying to add AFS token forwarding in SSH-2), I noticed that agressive rekeying (as e.g. employed by regress/rekey.sh, rekeying every 16bytes) seems to disturb the various forwardings (X11, agent) set up at the beginning of the session. These do not trigger regression test errors, since the client does not ask for confirmation from the server for these commands (except for remote port forwarding, and that one isn't set up by default). Setting the minimum rekey limit to a higher value that covers all of the session setup would be easy, but at least the port forwarding can get added also later during the session. I guess that a rekey event at this stage would kill the connection (explicit 'packet_disconnect()' if we receive neither SUCCESS nor FAILURE from the server). Could somebody perhaps check whether I am completely off-track with this? I'd also be grateful on advice how to handle or prevent rekeying events during session setup, e.g. in ssh_session2_setup(). Thanks Jan
Jan Iven wrote:> Dear all, > while playing around with openssh-4.1p1 (trying to add AFS token > forwarding in SSH-2), I noticed that agressive rekeying (as e.g. > employed by regress/rekey.sh, rekeying every 16bytes) seems to disturb > the various forwardings (X11, agent) set up at the beginning of the > session. These do not trigger regression test errors, since the client > does not ask for confirmation from the server for these commands (except > for remote port forwarding, and that one isn't set up by default).Yes, we should probably set want_reply for forwarding setups and (at least) warn when they are refused. This would be a fairly easy project for someone who wants to start hacking OpenSSH (hint, hint). That rekeying causes problems is more concerning (I'll look at this), but 16 bytes is an absurdly low limit - it isn't even enough to fit a protocol v.2 packet. -d