[Bug 2198] New: GSSAPIKeyExchange gssapi-keyex bug in kex.c choose_kex()
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat Jan 25 09:26:21 EST 2014
https://bugzilla.mindrot.org/show_bug.cgi?id=2198
Bug ID: 2198
Summary: GSSAPIKeyExchange gssapi-keyex bug in kex.c
choose_kex()
Product: Portable OpenSSH
Version: 6.4p1
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Kerberos support
Assignee: unassigned-bugs at mindrot.org
Reporter: staatsvr at afrl.hpc.mil
Created attachment 2400
--> https://bugzilla.mindrot.org/attachment.cgi?id=2400&action=edit
Possible fix for kex.c GSSAPIKeyExchange strcmp problem
Reported problem: Attempted connections from new 6.4p1 client to old
6.0p1 server fails when using "GSSAPIKeyExchange yes".
Client error message:
unsupported kex alg gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==
Server error message: (nothing much useful, even with -ddd)
Cause:
In kex.c :: choose_kex() prior to 6.3p1 the search for Kex k->name was
performed using a mix of strcmp() and strncmp(). The strncmp() name
comparisons on just the leading part of the name were necessary for
KEX_GSS_GEX_SHA1_ID, KEX_GSS_GRP1_SHA1_ID, and KEX_GSS_GRP14_SHA1_ID.
Starting with 6.3.p1 and continuing in 6.4p1 and
openssh-SNAP-20140125.tar.gz kex.c moved to a kexalgs table with a
kex_alg_by_name() lookup. Since kex_alg_by_name() only uses strcmp,
the above kex algorith names fail to make an exact match. For example,
KEX_GSS_GEX_SHA1_ID = gss-gex-sha1- vs
k->name = gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==
Proposed fix: Add strncmp() special cases for the KEX_GSS_* algorithms.
See example patch in attachments. Not elegant, but I think safe.
Note: Why not just use strncmp() in kex_alg_by_name(const char *name)
for all cases? But what if someday there's an algorithm name which is
a substring of another name?
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list