bin/53670: openssl/openssh compat broken

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/53670: openssl/openssh compat broken
From: martin%NetBSD.org@localhost
Date: Mon, 15 Oct 2018 07:55:00 +0000 (UTC)

>Number:         53670
>Category:       bin
>Synopsis:       openssl/openssh compat broken
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Oct 15 07:55:00 +0000 2018
>Originator:     Martin Husemann
>Release:        NetBSD 8.99.25
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD whoever-brings-the-night.aprisoft.de 8.99.25 NetBSD 8.99.25 (WHOEVER) #238: Fri Oct 12 16:16:25 CEST 2018 martin%seven-days-to-the-wolves.aprisoft.de@localhost:/work/src/sys/arch/sparc64/compile/WHOEVER sparc64
Architecture: sparc64
Machine: sparc64
>Description:

I updated this machine to -current end of last week and now can not ssh
to machines running 7.2 any more:

OpenSSH_7.8 NetBSD_Secure_Shell-20180825, OpenSSL 1.1.1  11 Sep 2018
[..]
debug1: Local version string SSH-2.0-OpenSSH_7.8 NetBSD_Secure_Shell-20180825
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.8 NetBSD_Secure_Shell-20150403-hpn13v14-lpk
debug1: match: OpenSSH_6.8 NetBSD_Secure_Shell-20150403-hpn13v14-lpk pat OpenSSH* compat 0x04000000
debug1: Authenticating to plug.duskware.de:22 as 'martin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256%libssh.org@localhost
debug1: kex: host key algorithm: ecdsa-sha2-nistp521
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305%openssh.com@localhost'
debug1: kex: server->client cipher: chacha20-poly1305%openssh.com@localhost MAC: <implicit> compression: none
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305%openssh.com@localhost'
debug1: kex: client->server cipher: chacha20-poly1305%openssh.com@localhost MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
ssh_dispatch_run_fatal: Connection to 192.168.150.188 port 22: invalid elliptic curve value

This is from a sparc64 machine to a evbarm 7.2 machine. The same connection
worked fine with the older openssl before last weeks update.

A simple workaround (I guess) will be disabling all eliptic cure things
on the sshd on the remote (too slow anyway). I had to do that on older i386
machines too, where the handshake would take a few minutes otherwise.

>How-To-Repeat:
s/a

>Fix:
n/a

Prev by Date: misc/53669: Lingering references to dhclient(8) in documentation
Next by Date: PR/53668 CVS commit: [netbsd-7] src/sbin/gpt
Previous by Thread: misc/53669: Lingering references to dhclient(8) in documentation
Next by Thread: Re: bin/53670: openssl/openssh compat broken
Indexes:

Home | Main Index | Thread Index | Old Index