Patch to workaround host key size mismatch bug in old SSH sshd

Fri Jul 6 01:59:25 EST 2001

Below is a patch against the current OpenBSD OpenSSH CVS to workaround a
behavior I have observed when converting from SSH 1.2.27 to OpenSSH while
using the same old RSA1 host key for protocol 1.  In several cases I saw
that old SSH sshd reported a host key size of 1024 bits when OpenSSH saw it
as 1023 bits.  Without the patch, when OpenSSH's ssh client connects to an
old SSH sshd it warns that the server lies about the size, and when an old
SSH ssh client connects to an OpenSSH sshd it reports the dreaded "WARNING:
HOST IDENTIFICATION HAS CHANGED! IT IS POSSIBLE THAT SOMEONE IS DOING
SOMETHING NASTY!"   An OpenSSH ssh client conveniently ignores the key size
in ~/.ssh/authorized_keys (in a kind of convoluted way, I might add) so it
doesn't care that the key size reported by OpenSSH sshd is 1023 even if
authorized_keys says it's 1024.

A pleasant side effect of this patch is that compat.c no longer prints the
disconcerting debug message "no match" when communicating with SSH 1.2.23
through 1.2.31.

- Dave Dykstra

--- compat.h.O	Thu Jul  5 10:49:47 2001
+++ compat.h	Thu Jul  5 10:50:04 2001
@@ -50,6 +50,7 @@
 #define SSH_BUG_HBSERVICE	0x00010000
 #define SSH_BUG_OPENFAILURE	0x00020000
 #define SSH_BUG_DERIVEKEY	0x00040000
+#define SSH_BUG_SERVERLIESSIZE	0x00080000
 
 void     enable_compat13(void);
 void     enable_compat20(void);
--- compat.c.O	Thu Jul  5 10:49:21 2001
+++ compat.c	Thu Jul  5 10:49:27 2001
@@ -105,6 +105,8 @@
 		{ "^1\\.7 SecureFX",	SSH_OLD_SESSIONID },
 		{ "^1\\.2\\.1[89]",	SSH_BUG_IGNOREMSG },
 		{ "^1\\.2\\.2[012]",	SSH_BUG_IGNOREMSG },
+		{ "^1\\.2\\.2[3-9]",	SSH_BUG_SERVERLIESSIZE },
+		{ "^1\\.2\\.3[0-1]",	SSH_BUG_SERVERLIESSIZE },
 		{ "^1\\.3\\.2",		SSH_BUG_IGNOREMSG },	/* f-secure */
 		{ "^SSH Compatible Server",			/* Netscreen */
 					SSH_BUG_PASSWORDPAD },
--- sshconnect1.c.O	Thu Jul  5 10:49:13 2001
+++ sshconnect1.c	Thu Jul  5 10:49:28 2001
@@ -37,6 +37,7 @@
 #include "packet.h"
 #include "mpaux.h"
 #include "uidswap.h"
+#include "compat.h"
 #include "log.h"
 #include "readconf.h"
 #include "key.h"
@@ -960,7 +961,8 @@
 	sum_len += clen;
 
 	rbits = BN_num_bits(host_key->n);
-	if (bits != rbits) {
+	if (bits != rbits &&
+	    !((datafellows & SSH_BUG_SERVERLIESSIZE) && (rbits + 1 == bits))) {
 		log("Warning: Server lies about size of server host key: "
 		    "actual size is %d bits vs. announced %d.", rbits, bits);
 		log("Warning: This may be due to an old implementation of ssh.");
--- sshd.c.O	Thu Jul  5 10:49:10 2001
+++ sshd.c	Thu Jul  5 10:49:27 2001
@@ -1217,7 +1217,12 @@
 	packet_put_bignum(sensitive_data.server_key->rsa->n);
 
 	/* Store our public host RSA key. */
-	packet_put_int(BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
+	len = BN_num_bits(sensitive_data.ssh1_host_key->rsa->n);
+	if ((datafellows & SSH_BUG_SERVERLIESSIZE) && (len & 1)) {
+	    /* old ssh client expects even number for host key */
+	    len += 1;
+	}
+	packet_put_int(len);
 	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->e);
 	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->n);
 

