Call for testing: OpenSSH 6.6

mancha mancha1 at
Sun Mar 2 10:19:50 EST 2014

On Sat, 01 Mar 2014 22:24:46 +0000 mikep at wrote:
>Built 'openssh-SNAP-20140301' on Solaris 10 with 'gcc'; no errors;
>'ssh' as 'root' now works (failed with 6.5p1).
>2 issues:
>In 'ssh_config', setting:
> 	KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-
>used to allow connections to Cisco routers to work, but now the 
>attempt hangs. With the current version, any one of:
> 	KexAlgorithms diffie-hellman-group-exchange-sha1
> 	KexAlgorithms diffie-hellman-group14-sha1
> 	KexAlgorithms diffie-hellman-group1-sha1
> 	KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-
>works, but this hangs:
> 	KexAlgorithms diffie-hellman-group-exchange-sha1,diffie-

As of OpenSSH 6.5, the size of the requested DH group (in DH GEX)
increased at every security level (per NIST SP 800-57).

My guess is Cisco's sshd implementation is RFC4419 non-compliant.

If this is the case, there's a *very* long thread on the ML which
discusses the DG GEX change. Search for "3des cipher and DH
group size"

>On Sat, 1 Mar 2014, mancha wrote:
>> $ ./configure && make tests sysconfdir=$(pwd)
>> This could be forced in the makefile's test target so it works
>> automagically.
>'make tests', 'make tests sysconfdir=$PWD' and 'make tests
>sysconfdir=/etc/ssh' all fail with:

Setting sysconfdir was a work-around for the test.
openssh-SNAP-20140302+ disables that test.


More information about the openssh-unix-dev mailing list