netbsd-bugs: bin/11521: 1.5beta2 ssh client can't read old RSA key files

Subject: bin/11521: 1.5beta2 ssh client can't read old RSA key files
To: None <gnats-bugs@gnats.netbsd.org>
From: John Hawkinson <jhawk@mit.edu>
List: netbsd-bugs
Date: 11/18/2000 17:25:16
>Number:         11521
>Category:       bin
>Synopsis:       1.5beta2 ssh client can't read old RSA key files
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          doc-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Nov 18 17:25:00 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     John Hawkinson
>Release:        netbsd-1-5 of 16 Nov 2000
>Organization:
MIT
>Environment:
	
System: NetBSD zorkmid.mit.edu 1.5E NetBSD 1.5E (ZORKMID-$Revision: 1.2 $) #54: Fri Aug 18 01:53:49 EDT 2000 jhawk@zorkmid.mit.edu:/usr/local/netbsd-current/src/sys/arch/i386/compile/ZORKMID i386


>Description:
	[ I'm travelling this weekend, and don't have more than intermittant
connectivity. ]

	I did a cvs update to netbsd-1-5 on my (i386) laptop on Thursday night,
and a make build yesterday, and now I find that the in-tree ssh which was
then built and installed will not talk to some sshds, including a 1.5BETA2
NetBSD/sparc machine (!).

	Using /usr/pkg/bin/ssh on my laptop works just fine.

	Further investigation suggests the problem is because of my ssh
RSA identity using idea encryption.

>How-To-Repeat:
	debugging sshd on the server (1.5beta2 sparc):

# sshd -d -p 5555  
debug1: sshd version OpenSSH_2.2.0 NetBSD_Secure_Shell-20001003
debug1: read DSA private key done
debug1: Bind to port 5555 on ::.
Server listening on :: port 5555.
debug1: Bind to port 5555 on 0.0.0.0.
Server listening on 0.0.0.0 port 5555.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 4.54.159.62 port 65527
debug1: Client protocol version 1.5; client software version OpenSSH_2.2.0 NetBSD_Secure_Shell-20001003
debug1: Local version string SSH-1.99-OpenSSH_2.2.0 NetBSD_Secure_Shell-20001003
debug1: Sent 768 bit public key and 1024 bit host key.
debug1: Encryption type: 3des
debug1: Received session key; encryption turned on.
debug1: Installing crc compensation attack detector.
debug1: Attempting authentication for root.
Warning: /root/.ssh/authorized_keys, line 2: keysize mismatch: actual 1023 vs. announced 1024.
Connection closed by 4.54.159.62
debug1: Calling cleanup 0x23f58(0x0)

	And then debugging ssh client:
zorkmid% ssh -v -p 5555  server -l root
SSH Version OpenSSH_2.2.0 NetBSD_Secure_Shell-20001003, protocol versions 1.5/2.0.
Compiled with OpenSSL (0x0090581f).
debug: ssh_connect: getuid 0 geteuid 0 anon 0
debug: Connecting to server [18.xxx.yyy.zzz] port 5555.
debug: Connection established.
debug: Remote protocol version 1.99, remote software version OpenSSH_2.2.0 NetBSD_Secure_Shell-20001003
debug: Local version string SSH-1.5-OpenSSH_2.2.0 NetBSD_Secure_Shell-20001003
debug: Waiting for server public key.
debug: Received server public key (768 bits) and host key (1024 bits).
debug: Host 'server' is known and matches the RSA host key.
debug: Encryption type: 3des
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
debug: Trying RSA authentication with key 'jhawk/afs@athena.mit.edu'
debug: Received RSA challenge from server.
cipher_set_key: unknown cipher: idea
debug: Calling cleanup 0x8056c84(0x0)

	This seems Very Weird to me. The server isn't even trying to use
IDEA, as far as I can tell. If I use /usr/pkg/bin/ssh on the client, it
works fine, though there is some Highly Questionable (tm) debugging
output from the server. Again, the server:

# !!  
sshd -d -p 5555
debug1: sshd version OpenSSH_2.2.0 NetBSD_Secure_Shell-20001003
debug1: read DSA private key done
debug1: Bind to port 5555 on ::.
Server listening on :: port 5555.
debug1: Bind to port 5555 on 0.0.0.0.
Server listening on 0.0.0.0 port 5555.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 4.54.159.62 port 65523
debug1: Client protocol version 1.5; client software version 1.2.27
debug1: Local version string SSH-1.99-OpenSSH_2.2.0 NetBSD_Secure_Shell-20001003
debug1: Sent 768 bit public key and 1024 bit host key.
debug1: Encryption type: 3des
debug1: Received session key; encryption turned on.
debug1: Installing crc compensation attack detector.
debug1: Attempting authentication for root.
Warning: /root/.ssh/authorized_keys, line 2: keysize mismatch: actual 1023 vs. announced 1024.
Accepted rsa for ROOT from 4.54.159.62 port 65523
debug1: session_new: init
debug1: session_new: session 0
debug1: Allocating pty.
debug1: Entering interactive session.
debug1: no set_nonblock for tty fd 3
debug1: Setting controlling tty using TIOCSCTTY.
debug1: no set_nonblock for tty fd 4
debug1: server_init_dispatch_13
debug1: server_init_dispatch_15
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: tvp!=NULL kid 0 mili 10
debug1: Received SIGCHLD.
debug1: tvp!=NULL kid 1 mili 100
debug1: End of interactive session; stdin 2, stdout (read 592, sent 592), stderr 0 bytes.
debug1: Command exited with status 0.
debug1: Received exit confirmation.
debug1: session_pty_cleanup: session 0 release /dev/ttyp1
Closing connection to 4.54.159.62

zorkmid% /usr/pkg/bin/ssh -v -p 5555 server -l root
SSH Version 1.2.27 [i386--netbsd], protocol version 1.5.
Standard version.  Does not use RSAREF.
zorkmid.mit.edu: Reading configuration data /etc/ssh_config
zorkmid.mit.edu: ssh_connect: getuid 10786 geteuid 10786 anon 1
zorkmid.mit.edu: Connecting to server [18.xxx.yyy.zzz] port 5555.
zorkmid.mit.edu: Connection established.
zorkmid.mit.edu: Remote protocol version 1.99, remote software version OpenSSH_2.2.0 NetBSD_Secure_Shell-20001003
zorkmid.mit.edu: Waiting for server public key.
zorkmid.mit.edu: Received server public key (768 bits) and host key (1024 bits).
zorkmid.mit.edu: Host 'server' is known and matches the host key.
zorkmid.mit.edu: Initializing random; seed file /users/jhawk/.ssh/random_seed
zorkmid.mit.edu: IDEA not supported, using 3des instead.
zorkmid.mit.edu: Encryption type: 3des
zorkmid.mit.edu: Sent encrypted session key.
zorkmid.mit.edu: Installing crc compensation attack detector.
zorkmid.mit.edu: Received encrypted confirmation.
zorkmid.mit.edu: No agent.
zorkmid.mit.edu: Trying RSA authentication with key 'jhawk/afs@athena.mit.edu'
zorkmid.mit.edu: Received RSA challenge from server.
Enter passphrase for RSA key 'jhawk/afs@athena.mit.edu': 
zorkmid.mit.edu: Sending response to host key RSA challenge.
zorkmid.mit.edu: Remote: RSA authentication accepted.
zorkmid.mit.edu: RSA authentication accepted by server.
zorkmid.mit.edu: Requesting pty.
zorkmid.mit.edu: Requesting X11 forwarding with authentication spoofing.
zorkmid.mit.edu: Remote: X11 forwarding disabled in server configuration file.
Warning: Remote host denied X11 forwarding, perhaps xauth program could not be run on the server side.
zorkmid.mit.edu: Requesting shell.
zorkmid.mit.edu: Entering interactive session.
Last login: Sat Nov 18 19:40:03 2000 from pppa1-resaledial
NetBSD 1.5_BETA2 (GENERIC) #8: Mon Nov  6 23:17:06 MET 2000

ssh-ing from the sparc to the i386 works just fine.

Further investigation shows this seems to not depend on where
I'm connecting to, but on how I authenticate. It looks like
cipher_set_key() is being called with idea for my RSA key:

(gdb) bt
#0  cipher_set_key (context=0xbfbfc1f8, cipher=1, 
    key={redacted}, keylen=16)
    at /usr/local/netbsd-1-5/src/usr.bin/ssh/libssh/../../../crypto/dist/ssh/cipher.c:268
#1  0x80598b8 in cipher_set_key_string (context=0xbfbfc1f8, cipher=1, 
    passphrase=0x80637ac "")
    at /usr/local/netbsd-1-5/src/usr.bin/ssh/libssh/../../../crypto/dist/ssh/cipher.c:253
#2  0x8055e47 in load_private_key_rsa (fd=7, 
    filename=0x806f200 "/root/.ssh/identity", passphrase=0x80637ac "", 
    prv=0x8070300, comment_return=0x0)
    at /usr/local/netbsd-1-5/src/usr.bin/ssh/libssh/../../../crypto/dist/ssh/authfile.c:390
#3  0x8056336 in load_private_key (filename=0x806f200 "/root/.ssh/identity", 
    passphrase=0x80637ac "", key=0x8074370, comment_return=0x0)
    at /usr/local/netbsd-1-5/src/usr.bin/ssh/libssh/../../../crypto/dist/ssh/authfile.c:516
#4  0x8050d09 in try_rsa_authentication ()
#5  0x8051bfc in ssh_userauth ()
#6  0x80508af in ssh_login ()
#7  0x804c49c in main ()
#8  0x804b095 in ___start ()


>Fix:
	Provide a migration utility to change the cipher type on RSA keys, if
IDEA is to be deprecated (probably the correct thing because of patent
concerns). Such a tool could live in pkgsrc.

	Ah-ha! It appears that /usr/pkg/bin/ssh-keygen -u does this:

       -u    Requests that the key's cipher  is  changed  to  the
             current default cipher (determined at compile-time -
             currently 3DES).

Perhaps the release notes ought to include an explanation of this
issue, and the recommendation that this procedure be performed on
all extant RSA keys.

>Release-Note:
>Audit-Trail:
>Unformatted: