checking for "dh_gen_key: group too small" errors

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Ubuntu 12.04 / OpenSSH_5.9p1 Debian-5ubuntu1 trying to initiate a
connection with hmac-sha2-512 and diffie-hellman-group1-sha1 results in
OpenSSH killing the connection after the SSH_MSG_KEXINIT packet is sent.
The OpenSSH error logs state the following:

debug2: mac_setup: found hmac-sha2-512 [preauth]
debug1: kex: server->client arcfour256 hmac-sha2-512 none [preauth]
dh_gen_key: group too small: 1024 (2*need 1024) [preauth]
debug1: do_cleanup [preauth]

This behavior, I believe, is in error as the shared secret produced by the
diffie-hellman key exchange is essentially extended to the appropriate
length by successive hashes that are concatenated together per
RFC4253#section-7.2

Also, it works fine in Ubuntu 14.04 / OpenSSH_6.6p1 Ubuntu-2ubuntu1.

My question is... for what versions of OpenSSH an issue? I'd like to hide
hmac-sha2-512 from the list of supported MAC's the client sends over for
all the affected SSH servers (ie. similar to how PuTTY handles SSH server
bugs with
http://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter4.html#config-ssh-bugs).
To do so, however, I need to know what I need to look for in the
identification strings.

ie. if this issue was present on all versions of OpenSSH prior to 6.5 I
could just look for any identification string for which
substr(identification-string, 8, 3) < '6.5'. If the issue is present in any
server who's identification string ends with Debian-5ubuntu1 I could make a
similar check for that.

I just need to know what I should be checking for. Is there perchance a
link that'd discuss this in more detail?
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux