OK, with this additional information I can now reproduce it.
Based on some quick experiments it seems to be triggered when sshd is
built --with-ssh1 and the config does not *load* a Protocol 1 host
key.
Works:
Protocol=1,2 + Hostkey not specified
Protocol=1,2 + Hostkeys for both protocols specified.
Doesn't work:
Protocol=2 + Hostkey not specified.
Protocol=1,2 + Hostkeys specified only for Protocol 2.
Protocol=2 + Hostkeys specified for both protocols.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
On Wed, Aug 03, 2016 at 01:38:15PM +1000, Darren Tucker wrote:> OK, with this additional information I can now reproduce it. > > Based on some quick experiments it seems to be triggered when sshd is > built --with-ssh1 and the config does not *load* a Protocol 1 host > key.Looks like it was introducted here: https://anongit.mindrot.org/openssh.git/commit/?id=1a31d02b wherein - buffer_put_int(&m, 0); + if ((r = sshbuf_put_u32(m, 1)) != 0) This patch should fix it: diff --git a/sshd.c b/sshd.c index 799c771..8f2b322 100644 --- a/sshd.c +++ b/sshd.c @@ -1071,7 +1071,7 @@ send_rexec_state(int fd, struct sshbuf *conf) fatal("%s: buffer error: %s", __func__, ssh_err(r)); } else #endif - if ((r = sshbuf_put_u32(m, 1)) != 0) + if ((r = sshbuf_put_u32(m, 0)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY) -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Darren: your patch worked for me, thanks a lot for your analysis! Best regards, Rainer On 08/03/16 05:51, Darren Tucker wrote:> On Wed, Aug 03, 2016 at 01:38:15PM +1000, Darren Tucker wrote: >> OK, with this additional information I can now reproduce it. >> >> Based on some quick experiments it seems to be triggered when sshd is >> built --with-ssh1 and the config does not *load* a Protocol 1 host >> key. > > Looks like it was introducted here: > https://anongit.mindrot.org/openssh.git/commit/?id=1a31d02b > wherein > > - buffer_put_int(&m, 0); > + if ((r = sshbuf_put_u32(m, 1)) != 0) > > This patch should fix it: > > diff --git a/sshd.c b/sshd.c > index 799c771..8f2b322 100644 > --- a/sshd.c > +++ b/sshd.c > @@ -1071,7 +1071,7 @@ send_rexec_state(int fd, struct sshbuf *conf) > fatal("%s: buffer error: %s", __func__, ssh_err(r)); > } else > #endif > - if ((r = sshbuf_put_u32(m, 1)) != 0) > + if ((r = sshbuf_put_u32(m, 0)) != 0) > fatal("%s: buffer error: %s", __func__, ssh_err(r)); > > #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY) >