Hello! I am part of a testing research group at Uppsala University. We have recently applied our model-based testing technique to OpenSSH servers and would like to share our findings in terms of potential issues found and receive feedback of course. The version we tested is 8.8p1, which was running on a Ubuntu 20.04 machine. For each issue, we give an input/output sequence that exposes it, and relevant quotes for the RFC. We can also provide reproduction material if asked. None of the issues appear to have any security implications. Before going over the issues, we wanted to first ask you about one behavior which we struggle to understand. We notice that OpenSSH buffers higher-layer messages received during part of the key re-exchange process. Is this really necessary given that a client should not generate these messages, according to RFC 4253 (see quote below). Wouldn't it be easier to simply discard/reject these messages (like Dropbear does, which would solve Issues 1 and 2)? What we want to know, concretely, is, if there is a practical reason for this behavior/design choice. RFC 4253, page 19: " After the SSH_MSG_KEXINIT message exchange, the key exchange algorithm is run. It may involve several packet exchanges, as specified by the key exchange method. Once a party has sent a SSH_MSG_KEXINIT message for key exchange or re-exchange, until it has sent a SSH_MSG_NEWKEYS message (Section 7.3), it MUST NOT send any messages other than: o Transport layer generic messages (1 to 19) (but SSH_MSG_SERVICE_REQUEST and SSH_MSG_SERVICE_ACCEPT MUST NOT be sent); o Algorithm negotiation messages (20 to 29) (but further SSH_MSG_KEXINIT messages MUST NOT be sent); o Specific key exchange method messages (30 to 49)." Now onto the issues. Issue 1. Processing upper-layer data before key re-exchange is complete. When performing key re-exchange (rekeying), OpenSSH does not wait for the client NEWKEYS before processing higher-layer messages. Concretely, it processes higher-layer messages (secured with old keys) received between sending NEWKEYS to the client and receiving NEWKEYS from the client. Technically, the RFC does not explicitly mention that servers should wait for NEWKEYS from the client before processing messages. But intuitively, a key re-exchange (like the initial key exchange) is only complete once keys are renewed and deployed in both directions. Before that, it seems to us that higher-layer messages should not be processed, as is the case for the initial key exchange (which key re-exchange is supposed to be similar with). Not to mention that a client is not supposed to send any higher-layer messages before sending NEWKEYS. Sequence: KEXINIT/KEXINIT KEX30/KEX31+NEWKEYS NEWKEYS/NO_RESPONSE SERVICE_REQUEST(ssh-userauth)/SERVICE_ACCEPT USERAUTH_REQUEST/USERAUTH_SUCCESS+GLOBAL_REQUEST KEXINIT/KEXINIT KEX30/KEX31+NEWKEYS CHANNEL_OPEN/CHANNEL_OPEN_SUCCESS Issue 2. Non-conforming response to CHANNEL_CLOSE. The presence of Issue 1 leads to Issue 2. The RFC says that on receiving a CHANNEL_CLOSE to close a channel, implementations SHOULD reply with CHANNEL_CLOSE. OpenSSH does not always follow this requirement. In particular, when receiving CHANNEL_CLOSE during key exchange, it silently consumes this message and only generates CHANNEL_CLOSE response after receiving NEWKEYS from the client. What is interesting is that, during that same key re-exchange, OpenSSH processes CHANNEL_OPEN and generates CHANNEL_OPEN_SUCCESS before NEWKEYS is received. RFC 4254, page 9: " When either party wishes to terminate the channel, it sends SSH_MSG_CHANNEL_CLOSE. Upon receiving this message, a party MUST send back an SSH_MSG_CHANNEL_CLOSE unless it has already sent this message for the channel. " Sequence: KEXINIT/KEXINIT KEX30/KEX31+NEWKEYS NEWKEYS/NO_RESPONSE SERVICE_REQUEST(ssh-userauth)/SERVICE_ACCEPT USERAUTH/USERAUTH_SUCCESS+GLOBAL_REQUEST KEXINIT/KEXINIT KEX30/KEX31+NEWKEYS CHANNEL_OPEN/CHANNEL_OPEN_SUCCESS CHANNEL_CLOSE/NO_RESPONSE CHANNEL_OPEN/CHANNEL_OPEN_SUCCESS CHANNEL_CLOSE/NO_RESPONSE NEWKEYS / CHANNEL_CLOSE + CHANNEL_CLOSE Issue 3. Rekey not supported pre-authentication. We found that rekey is not supported after key exchange is complete but before the user authenticates. Sequence: KEXINIT/KEXINIT KEX30/KEX31+NEWKEYS NEWKEYS/NO_RESPONSE SERVICE_REQUEST(ssh-userauth)/SERVICE_ACCEPT KEXINIT/UNIMPLEMENTED Issue 4. Use of UNIMPLEMENTED when the RFC says otherwise (very minor but might as well mention it). RFC 4253, page 24: " If the server rejects the service request, it SHOULD send an appropriate SSH_MSG_DISCONNECT message and MUST disconnect." Sequence: KEXINIT/KEXINIT SERVICE_REQUEST(ssh-userauth)/UNIMPLEMENTED RFC 4252, page 6: " SSH_MSG_USERAUTH_SUCCESS MUST be sent only once. When SSH_MSG_USERAUTH_SUCCESS has been sent, any further authentication requests received after that SHOULD be silently ignored." Sequence: KEXINIT/KEXINIT KEX30/KEX31+NEWKEYS NEWKEYS/NO_RESPONSE SERVICE_REQUEST(ssh-userauth)/SERVICE_ACCEPT USERAUTH/USERAUTH_SUCCESS+GLOBAL_REQUEST USERAUTH/UNIMPLEMENTED Thanks for any feedback, particularly on Issue 1 and buffering! Paul. När du har kontakt med oss på Uppsala universitet med e-post så innebär det att vi behandlar dina personuppgifter. För att läsa mer om hur vi gör det kan du läsa här: http://www.uu.se/om-uu/dataskydd-personuppgifter/ E-mailing Uppsala University means that we will process your personal data. For more information on how this is performed, please read here: http://www.uu.se/en/about-uu/data-protection-policy _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev