Date: Thu, 06 Mar 2014 18:15:06 -0800 From: Dennis Glatting <freebsd@pki2.com> To: freebsd-questions@freebsd.org Subject: Re: OpenSSH 6.5 broken(?) Message-ID: <1394158506.8252.52.camel@btw.pki2.com> In-Reply-To: <1394155340.8252.45.camel@btw.pki2.com> References: <1394155340.8252.45.camel@btw.pki2.com>
next in thread | previous in thread | raw e-mail | index | archive | help
For those interested, I received this response from the OpenSSH bugzilla. I tested the KexAlgorithms mentioned and it resolved the problem for now. -------- Forwarded Message -------- From: bugzilla-daemon@mindrot.org To: openssh@pki2.com Subject: [Bug 2209] Problem logging into Cisco devices under 6.5p1 (kexgexc.c) Date: Fri, 07 Mar 2014 01:54:17 +0000 https://bugzilla.mindrot.org/show_bug.cgi?id=2209 Darren Tucker <dtucker@zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker@zip.com.au --- Comment #1 from Darren Tucker <dtucker@zip.com.au> --- The problem is Cisco does not correctly implement RFC4419, specifically when asked for a preferred group size larger than its largest group it fails rather than returning a group it does have that's within the allowed min/max bounds. There's been some discussion on the mailing list: http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-January/032037.html http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-February/032177.html Non-code workaround: "KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" in ~/.ssh/config for the device in question. -- You are receiving this mail because: You reported the bug. On Thu, 2014-03-06 at 17:22 -0800, Dennis Glatting wrote: > With the upgrade to 6.5 I can no longer log into Cisco devices. I traced > the problem down to the code fragment below, which was a change made in > late January. > > During the key exchange under 6.5 this is a clue: > > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<8192<8192) sent > > Compared to 6.2: > > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<4096<8192) sent > > I reverted the patch in my source and the problem goes away. I do not > know if that was the correct thing to do. > > > > > Index: kexgexc.c > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/kexgexc.c,v > retrieving revision 1.15 > diff -u -p -r1.15 kexgexc.c > --- kexgexc.c 12 Jan 2014 08:13:13 -0000 1.15 > +++ kexgexc.c 25 Jan 2014 10:04:23 -0000 > @@ -55,7 +55,7 @@ kexgex_client(Kex *kex) > int min, max, nbits; > DH *dh; > > - nbits = dh_estimate(kex->we_need * 8); > + nbits = dh_estimate(kex->dh_need * 8); > > if (datafellows & SSH_OLD_DHGEX) { > /* Old GEX request */ > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1394158506.8252.52.camel>