[Bug 2233] New: curve25519-sha256 at libssh.org Signature Failures When 'sshd' Used with Dropbear Clients
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat Apr 19 08:37:59 EST 2014
https://bugzilla.mindrot.org/show_bug.cgi?id=2233
Bug ID: 2233
Summary: curve25519-sha256 at libssh.org Signature Failures When
'sshd' Used with Dropbear Clients
Product: Portable OpenSSH
Version: 6.6p1
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: throwaway.xy+opensshbugzilla at gmail.com
Overview:
When using the curve25519-sha256 at libssh.org kex algorithm, host key
signature
validation will sometimes fail between an OpenSSH 'sshd' server and
dropbear-2014.63 clients.
Steps to Reproduce:
Download or build dropbear-2014.63 'dbclient' program.
Run 'sshd' version 6.6p1 locally in one terminal:
# grep -v "#" ./sshd_config | grep .
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
UsePrivilegeSeparation no
# ssh-keygen -t rsa -N "" -q -f ./test-rsa-hostkey
# $PWD/sshd -D -e -h $PWD/test-rsa-hostkey -p 1235 -f ./sshd_config
In a second terminal run 'dbclient echo "hello"' commands in a loop:
# ITER=1; echo "Start"; while [ $? -eq 0 ]; do let ITER=ITER+1;
echo "$ITER"; ./dbclient -i ./test_id localhost/1235 echo "hello"; done
Actual Results:
Eventually the loop above will fail. Sometimes failure happens
quickly,
sometimes it can many iterations:
...
82
hello
83
hello
84
hello
85
./dbclient: Connection to simonsj at localhost:1235 exited: Bad
hostkey signature
Expected Results:
The loop should never fail with the 'Bad hostkey signature' error
above.
Build Date & Hardware:
# git rev-parse HEAD
19158b2447e35838d69b2b735fb640d1e86061ea
# git show V_6_6_P1
commit 19158b2447e35838d69b2b735fb640d1e86061ea
Author: Damien Miller <djm at mindrot.org>
Date: Thu Mar 13 13:14:21 2014 +1100
- (djm) Release OpenSSH 6.6
...
Additional Builds and Platforms:
Also reproducible with 6.5p1.
Additional Information:
Originally discovered here: https://red.libssh.org/issues/159.
My understanding of the actual bug is that OpenSSH is generating the
shared secret bignum value 'K' in a way that is not expected by other
implementations.
I believe the problem is in 'buffer_put_bignum2_from_string' (used by
'kexc25519_shared_key'), as is mentioned here on the mailing list,
with a patch to bufaux.c to fix:
http://marc.info/?l=openssh-unix-dev&m=139699836815285&w=2
With the bufaux.c patch applied, I am no longer able to reproduce
the failure.
I believe this bug affects interop of 'curve25519-sha256 at libssh.org'
going forward, so I've set Severity to 'major'.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list