SSH key exchange algorithm negotiation payload growth
Damien Miller
djm at mindrot.org
Wed May 8 10:37:48 EST 2013
On Tue, 7 May 2013, Kent R. Spillner wrote:
> Howdy-
>
> TL;DR
>
> An SSH daemon for a memory-constrained embedded platform didn't work
> with a recent OpenSSH client because it couldn't handle the payload
> size during key exchange. In general, what should SSH implementors in
> such limited environments do to ensure forwards compatibility with
> future OpenSSH releases?
Not assume fixed size buffers will always fit proposal strings :)
The maximum likely size of a KEXINIT packet is always going to be smaller
than the 32KB minimum payload length required by RFC4253.
> I'm curious, though, how other embedded SSH implementors maintain
> forwards compatibility with future releases of OpenSSH. Am I correct
> in reading RFC 4253 sections 6.2 - 6.5 and section 7.1 as saying that
> implementations must be prepared to accept an arbitrary number of
> algorithms of each type during initial key exchange?
Up to the 32KB packet size required in section 6.1.
> When I was troubleshooting this issue I tried playing around
> with different combinations of -o KexAlgorithms and -o
> HostKeyAlgorithms at the command line. Are there other
> configuration paramters for the other name-lists during algorithm
> negotiation, e.g. encryption_algorithms_client_to_server,
> compression_algorithms_server_to_client, etc?
The options that select the contents of the KEXINIT packet are:
Ciphers
MACs
Compression
HostKeyAlgorithms
KexAlgorithms
If you ever encounter a broken implementation that chokes on something
in the KEXINIT packet, you can use one (or all) of these to remove the
offending morsel.
-d
More information about the openssh-unix-dev
mailing list