IETF Logo Mail Archive

Re: Fixing exchange of host keys in the SSH key exchange

Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 27 March 2017 06:21 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6268A129410 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sun, 26 Mar 2017 23:21:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZrRmrhlWp2Vu for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sun, 26 Mar 2017 23:21:58 -0700 (PDT)
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04F501293FD for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Sun, 26 Mar 2017 23:21:58 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id DBF84855B6; Mon, 27 Mar 2017 06:21:56 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id ECC45855A7 for <ietf-ssh@netbsd.org>; Mon, 27 Mar 2017 06:21:54 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id 5i3WIvAWXguT for <ietf-ssh@netbsd.org>; Mon, 27 Mar 2017 06:21:54 +0000 (UTC)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id C111684CDA for <ietf-ssh@netbsd.org>; Mon, 27 Mar 2017 06:21:53 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1490595713; x=1522131713; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=/wD8cv68lUnss4/Wecc+Y+S3BfyDFi8VteZn5gYscWo=; b=goAVHCCMyIuOsepXBruI/roihvR5FV2RUyC0HGSYw3vThzV5AJv18RKF bHqaBZQ7yNA2x8Qsv/v9VerkLt2xr4bVvQBvjY3zJwhDDo38hiq/iDi3I lrDNhPVDNtB9Pn2XPyLQL+kEeQop+ABFtA901Kux+D1qQtXBojhgPXBVf LbD3I0vIxSzW0LQj2yqcXr5b9i/1slGEthTVW9mterZufpW9zzF5/Ygz8 Jv/EgrDjzwKRHP/idAOCmJpF2funxftVW+qXx0C2y8dmbEzY41Mo6rZuT tS+fTXXEgRtLBMcuFVLbB8YPVnzm5gJnXwyCUGUlcqRwhJcM14Lm8TQGM A==;
X-IronPort-AV: E=Sophos;i="5.36,229,1486378800"; d="scan'208";a="145882866"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.4 - Outgoing - Outgoing
Received: from uxcn13-ogg-c.uoa.auckland.ac.nz ([10.6.2.4]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 27 Mar 2017 19:21:52 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-ogg-c.UoA.auckland.ac.nz (10.6.2.24) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 27 Mar 2017 19:21:51 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1263.000; Mon, 27 Mar 2017 19:21:51 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "denis bider (Bitvise)" <ietf-ssh3@denisbider.com>, Mouse <mouse@Rodents-Montreal.ORG>, "ietf-ssh@NetBSD.org" <ietf-ssh@NetBSD.org>
Subject: Re: Fixing exchange of host keys in the SSH key exchange
Thread-Topic: Fixing exchange of host keys in the SSH key exchange
Thread-Index: AQHSo6JCh/pnJs1+UUq8ewlt+ue/5qGhf50AgAOKXICAAIpbgIABd8WAgAExZak=
Date: Mon, 27 Mar 2017 06:21:51 +0000
Message-ID: <1490595711031.1686@cs.auckland.ac.nz>
References: <2216143EDEE342A3A5C9BB786F7FEF7A@Khan> <201703231224.IAA22091@Stone.Rodents-Montreal.ORG><589D55C2CF5942E9910482788CBDB445@Khan> <201703260243.WAA05983@Stone.Rodents-Montreal.ORG>, <B27F1BAE8F974449B6EE8B7DF50ED3A9@Khan>
In-Reply-To: <B27F1BAE8F974449B6EE8B7DF50ED3A9@Khan>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

denis bider (Bitvise) <ietf-ssh3@denisbider.com> writes:

>For the most recent example, an older version of a popular library used to
>have the "maximum channel packet size" concept completely borked up. For a
>channel opened by the remote party, this library would overwrite its own
>maximum packet size with the remote one. This caused at least two different
>kinds of session-ending problems to arise.

It seems like every implementer has stories like this, but no-one can really
mention them in public because you don't want to embarrass a particular
vendor... would there be any interest in having a private list of email
addresses of people to exchange information like this with?  That way we could
compare notes on necessary fixes that otherwise would need to be rediscovered
for each new implementation.

Peter.

v2.23.0 | Report a Bug | By Email