Problem/bug report for "bad decrypted len" error in

Stefan Hadjistoytchev sth at hq.bsbg.net
Wed Jun 18 17:35:37 EST 2003


Additional information:

1. Linux (sshd server ) ( same on AIX or other distributions )
a) Distibution: Trustix Secure Linux 2.0 beta 3
http://www.trustix.net/pub/Trustix/pre-releases/trustix-2.0-beta3/ISO/trustix-2.0-beta3.i586.iso
b) OpenSSH 3.6.1:
http://www.trustix.net/pub/Trustix/pre-releases/trustix-2.0-beta3/i586/Trustix/RPMS/openssh-3.6.1p1-5to.i586.rpm |
http://www.trustix.net/pub/Trustix/pre-releases/trustix-2.0-beta3/i586/Trustix/RPMS/openssh-server-3.6.1p1-5to.i586.rpm
c) sshd_config:
    Port 22
    Protocol 2
    ListenAddress 0.0.0.0
    PermitRootLogin no
    PubkeyAuthentication yes
    AuthorizedKeysFile .ssh/authorized_keys
    RhostsAuthentication no
    RhostsRSAAuthentication no
    HostbasedAuthentication no
    PasswordAuthentication no
    PermitEmptyPasswords no
    Subsystem sftp /usr/libexec/ssh/sftp-server

2. Windows ( ssh client )
a) Version: 2000/XP/98
b) SSH clients: Putty Release 0.53
(http://www.chiark.greenend.org.uk/~sgtatham/putty/) | SecureNetTerm 5.4.2.4
(http://www.securenetterm.com/)
c) Smartcard Agent: Secure KeyAgent 5.4.2.4 ( part of SecureNetTerm 5.4.2.4
(http://www.securenetterm.com/ )
d) SmartCard Reader: Omnikey CardMan 1010 ( http://www.omnikey.com ) driver
ver. 1.2.0.8
e) SmartCard: Utimaco ( http://www.utimaco.com ) (SETEC | SETCOS based )
f) Smartcard CSP: Utimaco CSP ver.41121
f) Certificate (incl. public - private key)  generated on smart-card

Card certificate(public-private key auth) causes the following errors in
"/var/log/auth/errors":
    .............
    sshd[1224] error: bad decrypted len: 36 != 20 + 15
    sshd[1227] error: bad decrypted len: 36 != 20 + 15
    .............

Extra byte is 00 i think :(


Comments on this error from SecureNetTerm team:
> OpenSSH 3.6.1 is a little braindead when it comes to proper operation of
Certificates.
> All you have to do is edit the OpenSSL file ssh-rsa.c and comment out
lines 250-252.
> This is a redundant length check that is not technically correct.  The
OpenSSH team is
> aware of the problem but don't care since they have no idea how to use
certificates.


If anyone requires additional information - just let me know :)

Best regards
    Stefan Hadjistoytchev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2929 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030618/d753c753/attachment.bin 


More information about the openssh-unix-dev mailing list