rekeying in SSH-2 and session setup?
Damien Miller
djm at mindrot.org
Thu Jun 16 13:33:28 EST 2005
Jan Iven wrote:
> Dear all,
> while playing around with openssh-4.1p1 (trying to add AFS token
> forwarding in SSH-2), I noticed that agressive rekeying (as e.g.
> employed by regress/rekey.sh, rekeying every 16bytes) seems to disturb
> the various forwardings (X11, agent) set up at the beginning of the
> session. These do not trigger regression test errors, since the client
> does not ask for confirmation from the server for these commands (except
> for remote port forwarding, and that one isn't set up by default).
Yes, we should probably set want_reply for forwarding setups and (at
least) warn when they are refused.
This would be a fairly easy project for someone who wants to start
hacking OpenSSH (hint, hint).
That rekeying causes problems is more concerning (I'll look at this),
but 16 bytes is an absurdly low limit - it isn't even enough to fit a
protocol v.2 packet.
-d
More information about the openssh-unix-dev
mailing list