Call for testing: OpenSSH 6.6
mancha
mancha1 at hush.com
Sun Mar 2 10:19:50 EST 2014
On Sat, 01 Mar 2014 22:24:46 +0000 mikep at noc.utoronto.ca wrote:
>Built 'openssh-SNAP-20140301' on Solaris 10 with 'gcc'; no errors;
>'ssh' as 'root' now works (failed with 6.5p1).
>
>2 issues:
>
>In 'ssh_config', setting:
>
> KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-
>hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-
>hellman-group1-sha1
>
>used to allow connections to Cisco routers to work, but now the
>connection
>attempt hangs. With the current version, any one of:
>
> KexAlgorithms diffie-hellman-group-exchange-sha1
> KexAlgorithms diffie-hellman-group14-sha1
> KexAlgorithms diffie-hellman-group1-sha1
> KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-
>group1-sha1
>
>works, but this hangs:
>
> KexAlgorithms diffie-hellman-group-exchange-sha1,diffie-
>hellman-group14-sha1,diffie-hellman-group1-sha1
As of OpenSSH 6.5, the size of the requested DH group (in DH GEX)
increased at every security level (per NIST SP 800-57).
My guess is Cisco's sshd implementation is RFC4419 non-compliant.
If this is the case, there's a *very* long thread on the ML which
discusses the DG GEX change. Search for "3des cipher and DH
group size"
>On Sat, 1 Mar 2014, mancha wrote:
>
>> $ ./configure && make tests sysconfdir=$(pwd)
>>
>> This could be forced in the makefile's test target so it works
>> automagically.
>
>'make tests', 'make tests sysconfdir=$PWD' and 'make tests
>sysconfdir=/etc/ssh' all fail with:
>
Setting sysconfdir was a work-around for the dhgex.sh test.
openssh-SNAP-20140302+ disables that test.
--mancha
More information about the openssh-unix-dev
mailing list