Re: one host only: ssh_dispatch_run_fatal

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Tue, Nov 8, 2016 at 1:02 PM, Harry Putnam <reader@xxxxxxxxxxx> wrote:
[...]
> gv harry> ssh -vv 2x
>
> OpenSSH_7.3p1-hpn14v11, OpenSSL 1.0.2j  26 Sep 2016

this is a third-party modified version of OpenSSH.  Can you reproduce
the problem with a stock OpenSSH from the source from openssh.com?

> debug1: match: OpenSSH_6.6 pat OpenSSH_6.5*,OpenSSH_6.6* compat 0x14000000

OpenSSH 6.6 has a bug in curve25519-sha256@xxxxxxxxxx, which is the
kex method later selected.

Quoting the 6.7 release notes: https://www.openssh.com/releasenotes.html#6.7
"""
 * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
   using the curve25519-sha256@xxxxxxxxxx KEX exchange method to fail
   when connecting with something that implements the specification
   correctly. OpenSSH 6.7 disables this KEX method when speaking to
   one of the affected versions.
"""

> debug1: kex: host key algorithm: ssh-ed25519
[...]
> debug1: Found key in /home/harry/.ssh/known_hosts:2
> debug2: bits set: 4134/8192
> debug2: ssh_ed25519_verify: crypto_sign_ed25519_open failed: -1
> ssh_dispatch_run_fatal: Connection to 192.168.1.42 port 22: incorrect signature

Maybe the same bug also affects ed25519 as a host key algorithm?  If
so, setting HostKeyAlgorithms in ssh_config on the client to something
that doesn't include ssh-ed25519 might help.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux