search for: kex

...e two global variables for server_version_string client_version_string. These are used just in a few functions and can easily be passed as parameters. Also, there is a strange construct, where their memory is allocated to the global pointers, then copies of these pointers are assigned to the kex structure. The kex_free finally frees them via cleanup of the kex structure while the global pointers remain. This can easily be rearranged so that is clearer who owns which memory and who is thus responsible for freeing. Also, the the ssh_login function leaks the memory allocated to the host...

...ld change. I do apologize for not using the patch format and I also apologize if we are not supposed to post patch-like info. Also.. if you do try to recompile.. you might need to change your Makefiles. All of these files are in /usr/src/ssh/ TO REMOVE GROUP1 and GROUP14 IN myproposal.h #define KEX_DEFAULT_KEX "diffie-hellman-group-exchange-sha256," \ "diffie-hellman-group-exchange-sha1," \ "diffie-hellman-group14-sha1," \ "diffie-hellman-group1-sha1" CHANGE TO #define KEX_DEFAULT_KEX "diffie-hellman-group-exchange-sha256," \ &qu...

...th the next release. In attachment, you will find a patch to openssh-6.3p1 (I think adaptations for OpenSSH are trivial). It links to libnacl. However, my autotools skills are lacking and I compiled it with LIBS=-libnacl. I would greatly appreciate feedback and/or a debate on the relevancy of such kex method, code quality and implementation details. Aris Adamantiadis www.libssh.org -------------- next part -------------- >From c3105fa718ca813a06527a238294c148dfc91287 Mon Sep 17 00:00:00 2001 From: Aris Adamantiadis <aris at 0xbadc0de.be> Date: Tue, 24 Sep 2013 21:59:36 +0200 Subject: [...

...197,6 +197,7 @@ check_key_in_hostfiles(struct passwd *, Key *, const char *, /* hostkey handling */ Key *get_hostkey_by_index(int); +Key *get_hostkey_public_by_index(int); Key *get_hostkey_public_by_type(int); Key *get_hostkey_private_by_type(int); int get_hostkey_index(Key *); diff --git a/kex.h b/kex.h index 680264a..b77a2c2 100644 --- a/kex.h +++ b/kex.h @@ -139,6 +139,7 @@ struct Kex { Key *(*load_host_public_key)(int); Key *(*load_host_private_key)(int); int (*host_key_index)(Key *); + void (*sign)(Key *, Key *, u_char **, u_int *, u_char *, u_int); void (*kex[KEX_MAX])(Ke...

On Fri, Jan 26, 2024 at 7:24?PM Jochen Bern <Jochen.Bern at binect.de> wrote: > On 25.01.24 14:09, Kaushal Shriyan wrote: > > I am running the below servers on Red Hat Enterprise Linux release 8.7 > > How do I enable strong KexAlgorithms, Ciphers and MACs > > On RHEL 8, you need to be aware that there are "crypto policies" > modifying sshd's behaviour, and it would likely be the *preferred* > method to inject your intended config changes *there* (unless they > happen to already be part of an e...

On 25.01.24 14:09, Kaushal Shriyan wrote: > I am running the below servers on Red Hat Enterprise Linux release 8.7 > How do I enable strong KexAlgorithms, Ciphers and MACs On RHEL 8, you need to be aware that there are "crypto policies" modifying sshd's behaviour, and it would likely be the *preferred* method to inject your intended config changes *there* (unless they happen to already be part of an existing policy, like...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

https://bugzilla.mindrot.org/show_bug.cgi?id=3663 Bug ID: 3663 Summary: KEX host signature length wrong since strict kex introduced Product: Portable OpenSSH Version: 9.6p1 Hardware: Other OS: Linux Status: NEW Severity: major Priority: P5 Component: sshd...

Hi, mancha and me debugged a problem with OpenSSH 7.3p1 that was reported on the #openssh freenode channel. Symptoms were that this message was popping on the console during a busy X11 session: kex protocol error: type 7 seq 1234 I managed to reproduce the problem, it is related to the SSH_EXT_INFO packet that is send by the server every time it is sending an SSH_NEWKEYS packet, hence after every rekeying. I reproduced it on my system with OpenSSH 7.3p1 and manually rekeying with escape R ht...

...use it happens quite rarely (say, once per week and not on all nodes) and is very difficult to reproduce, therefore I don't have a lot of flexibility here. I have to jump in with what I got. Anyway, the main symptom is that tinc *sometimes* (rarely) crashes with the error message "Invalid KEX record length" during its hourly SPTPS key regeneration. I managed to catch it in a long-running debug tincd running under gdb. Here's the complete log, with some gdb investigation at the end: http://pastebin.com/H3qCCAxy Here's where I got so far in my investigation. Apparently, the...

https://bugzilla.mindrot.org/show_bug.cgi?id=1486 Summary: Improperly used buffer during KEX Classification: Unclassified Product: Portable OpenSSH Version: 5.0p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Miscellaneous AssignedTo: unassigned-bugs at mindrot....

...ifndef OPENSSL_HAS_ECC if (expected[i].l.keytype == KEY_ECDSA) continue; -#endif +#endif /* OPENSSL_HAS_ECC */ +#endif /* WITH_OPENSSL */ ASSERT_INT_EQ(sshkey_load_public( test_data_file(expected[i].key_file), &expected[i].l.key, NULL), 0); diff --git a/regress/unittests/kex/test_kex.c b/regress/unittests/kex/test_kex.c index c61e2bd..cf35f09 100644 --- a/regress/unittests/kex/test_kex.c +++ b/regress/unittests/kex/test_kex.c @@ -141,13 +141,16 @@ do_kex_with_key(char *kex, int keytype, int bits) sshbuf_free(state); ASSERT_PTR_NE(server2->kex, NULL); /* XXX we...

https://bugzilla.mindrot.org/show_bug.cgi?id=2198 Bug ID: 2198 Summary: GSSAPIKeyExchange gssapi-keyex bug in kex.c choose_kex() Product: Portable OpenSSH Version: 6.4p1 Hardware: All OS: Linux Status: NEW Severity: normal Priority: P5 Component: Kerberos support Assignee: unassigned-bugs at m...

I'm in the process of updating my GSSAPI patches to the 2.9 release. However, I've run into a slight problem with managing to get user options to play nicely with the way that the kex code is now organised. With the GSS kex its possible for the user to specify whether they want to delegate their credentials to the server or not. This option is used only on the client side (and so is specified in the client options structure). Previously, when the client and server kex code l...

Dear all, I am currently implementing an experimental key exchange (KEX) algorithm. Unlike current algorithms like DH, mine needs to be able to fail gracefully, and in case of failure, continue with whatever algorithm would have been negotiated if mine was not selected. My strategy for graceful failure is to remove my KEX algorithm from myproposal[KEX_DEFAULT_KEX]...

Hello, since one currently (after the 9.6 release addressing terrapin with strict-kex) cant be sure that strict KEX mode is negotiated (it depends on the capabilities of the partner), and the mitigation for that is to disable most modern/alternative ciphers and MAC modes - I would suggest you offer the option to enforce strict-kex mode as a server config as well as a per-host conf...

...9;m active! ;)). We've had a few issues with SSH Secure Shell version 3.2.0 (build 267) and sftp and while trying to figure it out I noticed something in the debug output that I think should be brought to OpenSSH's attention. Ssh2Transport/trcommon.c:1518: All versions of OpenSSH handle kex guesses incorrectly. Does anyone know what this is about? I can provide more info if necessary. -- James Dennis Harvard Law School 617-596-7272 "Not everything that counts can be counted, and not everything that can be counted counts."

On Sat, May 16, 2015 at 04:53:33PM +0100, Etienne Dechamps wrote: > I believe there is a design flaw in the way SPTPS key regeneration > works, because upon reception of the KEX message the other nodes will > send both KEX and SIG messages at the same time. However, the node > expects SIG to arrive after KEX. Therefore, there is an implicit > assumption that messages won't arrive out of order. tinc makes no such > guarantee, even over TCP metaconnections, b...

https://bugzilla.mindrot.org/show_bug.cgi?id=2291 Bug ID: 2291 Summary: ssh -Q kex lists diffie-hellman-group1-sha1 twice Product: Portable OpenSSH Version: 6.7p1 Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component: sftp-server Assignee: unassigned-bugs at m...

Hello, I'm looking for your insight about the log below. We have an SFTP server (IBM Sterling File Gateway) and we're connecting from an OpenSSH SFTP client but something fails during KEX. Complete client-side debug output is below, but I believe the relevant part is: debug1: kex: server->client cipher: aes192-cbc MAC: hmac-sha1 compression: none debug1: kex: client->server cipher: aes192-cbc MAC: hmac-sha1 compression: none debug3: send packet: type 30 debug1: sending SSH2_...