IETF Logo Mail Archive

Re: Implementation-hazards list [was Re: Fixing exchange of host keys in the SSH key exchange]

Darren Tucker <dtucker@zip.com.au> Thu, 30 March 2017 06:02 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4765F127058 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Wed, 29 Mar 2017 23:02:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.09
X-Spam-Level:
X-Spam-Status: No, score=-4.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=dtucker-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bgf_9ZECakTf for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Wed, 29 Mar 2017 23:02:31 -0700 (PDT)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7C8D1204DA for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Wed, 29 Mar 2017 23:02:31 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id 72582855BD; Thu, 30 Mar 2017 06:02:30 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id 1740E855BB; Thu, 30 Mar 2017 06:02:30 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 220B58556B for <ietf-ssh@netbsd.org>; Tue, 28 Mar 2017 05:57:02 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (2048-bit key) header.d=dtucker-net.20150623.gappssmtp.com
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id PCInyv40XZAV for <ietf-ssh@netbsd.org>; Tue, 28 Mar 2017 05:57:01 +0000 (UTC)
Received: from mail-qt0-x22c.google.com (mail-qt0-x22c.google.com [IPv6:2607:f8b0:400d:c0d::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 5AABD84CE5 for <ietf-ssh@netbsd.org>; Tue, 28 Mar 2017 05:57:01 +0000 (UTC)
Received: by mail-qt0-x22c.google.com with SMTP id n21so55848871qta.1 for <ietf-ssh@netbsd.org>; Mon, 27 Mar 2017 22:57:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dtucker-net.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=j1XID5reF3EjgOwep2U+uzeIamQ53D0az99gGEroSvE=; b=FW1FvuTd5kaRoRBNMAZr8lZbLywo+4hmzhkwbYC2tl2obIMJ5F2EWpMo1j9hereNwI IOCPbm6BQasF1rmW5hxrXd/wfWQV4EHaFRLvqLWTntJjpnxt02dF+odLTiVuLgguNsxQ yu2bphS0soO6R50Di3T5ShV29bcPf4tHieYNIGYNySM5ktUnn8S9lbLCyfdvXvBW5RqN cM/ivsDNfAS9OzSwQh5NT8Bir8KsO6Q1k/HX3Zd3wuKm7ySyVmUfehiTUNosFGbhThfN RYqJueL0qh8ufBWoRdm7zE4wShmXwBOd8Oznuxzoh86Kp52WmW/xS8o6vUzpHA4Z+Kmd uE9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=j1XID5reF3EjgOwep2U+uzeIamQ53D0az99gGEroSvE=; b=RYCgMH5eg9za89VmW8ZSCd4mudBeookk/X3JZLRGyo64EmKGrFzmMeXsHyCrj2k25x Cu7OqBGcQWoGVVUf7jF9MXHIClAnnhCx0OdML1j2nWPlGIdamo58LVG/DtGBRo9EF5d9 xSlms8tpKYJkIN4HyW/P5FvqyoI6sJOiH4TRd6jfAqvEvfFTBNfvMXz6GhP8ZVyvXX28 ORCgUwik9W6mgNPcFS5ttTggEsWZ4/eXxVQNNQI70/jfeX94yB9EcBo1sAu6RF81jXgi mJQJZY6NUaQCm2maydFbJb8Qt7dBgpO3dSrUB7x6BZjLeUopAMDj3RWcWbkjFZ676GnZ KNJw==
X-Gm-Message-State: AFeK/H3WsJABL8A2nq0i1AS1SOD+KdWtNst73a91+fx72NB4TH1Ktgc0L3ElHfjChfzufSjbjx6lv0HYYIuFkg==
X-Received: by 10.200.52.65 with SMTP id v1mr26888460qtb.166.1490680620170; Mon, 27 Mar 2017 22:57:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.111.130 with HTTP; Mon, 27 Mar 2017 22:56:39 -0700 (PDT)
In-Reply-To: <201703272204.SAA12391@Stone.Rodents-Montreal.ORG>
References: <2216143EDEE342A3A5C9BB786F7FEF7A@Khan> <201703231224.IAA22091@Stone.Rodents-Montreal.ORG> <589D55C2CF5942E9910482788CBDB445@Khan> <201703260243.WAA05983@Stone.Rodents-Montreal.ORG> <B27F1BAE8F974449B6EE8B7DF50ED3A9@Khan> <1490595711031.1686@cs.auckland.ac.nz> <BE0AC8D434BC4010842179F29664E7A7@Khan> <201703272204.SAA12391@Stone.Rodents-Montreal.ORG>
From: Darren Tucker <dtucker@zip.com.au>
Date: Tue, 28 Mar 2017 16:56:39 +1100
X-Google-Sender-Auth: gDCdbjCLNzekaZrWNh2ZP4TMuFk
Message-ID: <CALDDTe2h_2ERDwz_gvnrRTODAjx5dJe5NCRnFYvL=XHuP8mdkQ@mail.gmail.com>
Subject: Re: Implementation-hazards list [was Re: Fixing exchange of host keys in the SSH key exchange]
To: Mouse <mouse@rodents-montreal.org>
Cc: "ietf-ssh@NetBSD.org" <ietf-ssh@netbsd.org>
Content-Type: multipart/alternative; boundary="001a1141a6aed70bb2054bc420dd"
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

On Tue, Mar 28, 2017 at 9:04 AM, Mouse <mouse@rodents-montreal.org> wrote:

> [...]
> Well, in many cases.  I, for example, am not at all chary about naming
> OpenSSH as the implementation whose misfeature prompted me to add
> -share-number to moussh (even the moussh manpage does so)


I was curious about what that was so I looked.  Quoting moussh(1):

     There is a misfeature (I would call it a bug, except that reading the
     source makes it clear it was done deliberately) in OpenSSH's server.
     (Similar issues may exist with others, but I have no knowledge of
them.)
     It gratuitously refuses to permit more than ten sessions per
connection.
     This means that using moussh's connection-sharing feature to connect to
     such a server will work fine until you try to open too many remote
login
     sessions, at which point you will get refusals from the remote server.
     Worst of all, OpenSSH does not provide any way for the server admin to
     raise this limit; it is hardwired into the code!

That last sentence is not accurate, OpenSSH has provided a MaxSessions
config option since the 5.1 (2008):
https://www.openssh.com/releasenotes.html#5.1

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

v2.23.0 | Report a Bug | By Email