From owner-freebsd-questions@FreeBSD.ORG Fri Mar 7 02:15:18 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 41002982 for ; Fri, 7 Mar 2014 02:15:18 +0000 (UTC) Received: from btw.pki2.com (btw.pki2.com [IPv6:2001:470:a:6fd::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 01371B8E for ; Fri, 7 Mar 2014 02:15:17 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by btw.pki2.com (8.14.8/8.14.8) with ESMTP id s272F6FF015896 for ; Thu, 6 Mar 2014 18:15:06 -0800 (PST) (envelope-from freebsd@pki2.com) Subject: Re: OpenSSH 6.5 broken(?) From: Dennis Glatting To: freebsd-questions@freebsd.org In-Reply-To: <1394155340.8252.45.camel@btw.pki2.com> References: <1394155340.8252.45.camel@btw.pki2.com> Content-Type: text/plain; charset="ISO-8859-1" Date: Thu, 06 Mar 2014 18:15:06 -0800 Message-ID: <1394158506.8252.52.camel@btw.pki2.com> Mime-Version: 1.0 X-Mailer: Evolution 2.32.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-SoftwareMunitions-MailScanner-Information: Dennis Glatting X-SoftwareMunitions-MailScanner-ID: s272F6FF015896 X-SoftwareMunitions-MailScanner: Found to be clean X-MailScanner-From: freebsd@pki2.com X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Mar 2014 02:15:18 -0000 For those interested, I received this response from the OpenSSH bugzilla. I tested the KexAlgorithms mentioned and it resolved the problem for now. -------- Forwarded Message -------- From: bugzilla-daemon@mindrot.org To: openssh@pki2.com Subject: [Bug 2209] Problem logging into Cisco devices under 6.5p1 (kexgexc.c) Date: Fri, 07 Mar 2014 01:54:17 +0000 https://bugzilla.mindrot.org/show_bug.cgi?id=2209 Darren Tucker changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker@zip.com.au --- Comment #1 from Darren Tucker --- The problem is Cisco does not correctly implement RFC4419, specifically when asked for a preferred group size larger than its largest group it fails rather than returning a group it does have that's within the allowed min/max bounds. There's been some discussion on the mailing list: http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-January/032037.html http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-February/032177.html Non-code workaround: "KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" in ~/.ssh/config for the device in question. -- You are receiving this mail because: You reported the bug. On Thu, 2014-03-06 at 17:22 -0800, Dennis Glatting wrote: > With the upgrade to 6.5 I can no longer log into Cisco devices. I traced > the problem down to the code fragment below, which was a change made in > late January. > > During the key exchange under 6.5 this is a clue: > > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<8192<8192) sent > > Compared to 6.2: > > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<4096<8192) sent > > I reverted the patch in my source and the problem goes away. I do not > know if that was the correct thing to do. > > > > > Index: kexgexc.c > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/kexgexc.c,v > retrieving revision 1.15 > diff -u -p -r1.15 kexgexc.c > --- kexgexc.c 12 Jan 2014 08:13:13 -0000 1.15 > +++ kexgexc.c 25 Jan 2014 10:04:23 -0000 > @@ -55,7 +55,7 @@ kexgex_client(Kex *kex) > int min, max, nbits; > DH *dh; > > - nbits = dh_estimate(kex->we_need * 8); > + nbits = dh_estimate(kex->dh_need * 8); > > if (datafellows & SSH_OLD_DHGEX) { > /* Old GEX request */ > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"