IETF Logo Mail Archive

Re: Implementation-hazards list [was Re: Fixing exchange of host keys in the SSH key exchange]

"denis bider \(Bitvise\)" <ietf-ssh3@denisbider.com> Fri, 31 March 2017 06:56 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 001DD12704B for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 30 Mar 2017 23:56:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=denisbider.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rv-nHMJDquQ4 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 30 Mar 2017 23:56:16 -0700 (PDT)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50FA71205D3 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Thu, 30 Mar 2017 23:56:16 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id 798C7855D1; Fri, 31 Mar 2017 06:56:15 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id 2657D85570; Fri, 31 Mar 2017 06:56:15 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 9951E84CDE for <ietf-ssh@netbsd.org>; Thu, 30 Mar 2017 18:58:06 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (2048-bit key) header.d=denisbider.com
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id bfhb_OZKfzU8 for <ietf-ssh@netbsd.org>; Thu, 30 Mar 2017 18:58:05 +0000 (UTC)
Received: from skroderider.denisbider.com (skroderider.denisbider.com [50.18.172.175]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id CD1CA84CDD for <ietf-ssh@netbsd.org>; Thu, 30 Mar 2017 18:58:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=denisbider.com; s=mail; h=from:subject:date:message-id:to:cc:mime-version:content-type:in-reply-to: references; bh=V0gh0uu2BzmJ1lVROkNAhvn3zTLO64GNCSkVBKKxuZM=; b=qQ9qN5/5eeBSdmfQeyPNQt/EZZWp167hgJMMDCNnbXZIqS6Rz8z1lAiT4O7k1Yd4/28E6ZoutW2ZN sJD4AwPQWUlvRTfajpur/cuKGS7cqCWhE9ETZc68VvcftdXFQjjsvmOID3jjRGaKV5SSPGRzURTfsd CiJjpEGEwEX9oWURqMHY4KbEEHRHh/TiMX7KO0JQZplnRr9DpwAsyuBBiRcLn4nzx3BD1HwvAxeuu6 vK7XBcwK1nmgNZWL3z44xNxJrpzqRuwdPypoA0bSBuyCo0WKqSo0gUFn4GWC4ll3lyPmpztyU3BRSe hKSWfHFLXFScSnmKAlYLvpDd8XjoEJw==
X-Footer: ZGVuaXNiaWRlci5jb20=
Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com with ESMTPSA (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)); Thu, 30 Mar 2017 19:57:49 +0100
Message-ID: <1A92E96F87CA4B70A939D3E0F1A719B4@Khan>
From: "denis bider (Bitvise)" <ietf-ssh3@denisbider.com>
To: Darren Tucker <dtucker@zip.com.au>, Mouse <mouse@rodents-montreal.org>
Cc: "ietf-ssh@NetBSD.org" <ietf-ssh@netbsd.org>
References: <2216143EDEE342A3A5C9BB786F7FEF7A@Khan> <201703231224.IAA22091@Stone.Rodents-Montreal.ORG> <589D55C2CF5942E9910482788CBDB445@Khan> <201703260243.WAA05983@Stone.Rodents-Montreal.ORG> <B27F1BAE8F974449B6EE8B7DF50ED3A9@Khan> <1490595711031.1686@cs.auckland.ac.nz> <BE0AC8D434BC4010842179F29664E7A7@Khan> <201703272204.SAA12391@Stone.Rodents-Montreal.ORG> <CALDDTe2h_2ERDwz_gvnrRTODAjx5dJe5NCRnFYvL=XHuP8mdkQ@mail.gmail.com>
In-Reply-To: <CALDDTe2h_2ERDwz_gvnrRTODAjx5dJe5NCRnFYvL=XHuP8mdkQ@mail.gmail.com>
Subject: Re: Implementation-hazards list [was Re: Fixing exchange of host keys in the SSH key exchange]
Date: Thu, 30 Mar 2017 12:57:59 -0600
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0117_01D2A955.424C80F0"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Also, unfortunately, the OpenSSH “MaxSessions” setting is often configured with the value 1.

This is really awful for a graphical client such as Bitvise SSH Client, which hopes to be able to open at least 2 channels in the same session (one for SFTP, one for terminal).

I’m not sure who sets that default to 1 – maybe it’s a distribution, or maybe some zealous administrator. However, I would suggest a sensible minimum might be at least 2 for servers that allow terminal shell and SFTP access.

denis


From: Darren Tucker 
Sent: Monday, March 27, 2017 23:56
To: Mouse 
Cc: ietf-ssh@NetBSD.org 
Subject: Re: Implementation-hazards list [was Re: Fixing exchange of host keys in the SSH key exchange]

On Tue, Mar 28, 2017 at 9:04 AM, Mouse <mouse@rodents-montreal.org> wrote:

  [...]
  Well, in many cases.  I, for example, am not at all chary about naming
  OpenSSH as the implementation whose misfeature prompted me to add
  -share-number to moussh (even the moussh manpage does so)

I was curious about what that was so I looked.  Quoting moussh(1):

     There is a misfeature (I would call it a bug, except that reading the
     source makes it clear it was done deliberately) in OpenSSH's server.
     (Similar issues may exist with others, but I have no knowledge of them.)
     It gratuitously refuses to permit more than ten sessions per connection.
     This means that using moussh's connection-sharing feature to connect to
     such a server will work fine until you try to open too many remote login
     sessions, at which point you will get refusals from the remote server.
     Worst of all, OpenSSH does not provide any way for the server admin to
     raise this limit; it is hardwired into the code!

That last sentence is not accurate, OpenSSH has provided a MaxSessions config option since the 5.1 (2008): https://www.openssh.com/releasenotes.html#5.1

-- 

Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

v2.23.0 | Report a Bug | By Email