NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
bin/53670: openssl/openssh compat broken
>Number: 53670
>Category: bin
>Synopsis: openssl/openssh compat broken
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Oct 15 07:55:00 +0000 2018
>Originator: Martin Husemann
>Release: NetBSD 8.99.25
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD whoever-brings-the-night.aprisoft.de 8.99.25 NetBSD 8.99.25 (WHOEVER) #238: Fri Oct 12 16:16:25 CEST 2018 martin%seven-days-to-the-wolves.aprisoft.de@localhost:/work/src/sys/arch/sparc64/compile/WHOEVER sparc64
Architecture: sparc64
Machine: sparc64
>Description:
I updated this machine to -current end of last week and now can not ssh
to machines running 7.2 any more:
OpenSSH_7.8 NetBSD_Secure_Shell-20180825, OpenSSL 1.1.1 11 Sep 2018
[..]
debug1: Local version string SSH-2.0-OpenSSH_7.8 NetBSD_Secure_Shell-20180825
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.8 NetBSD_Secure_Shell-20150403-hpn13v14-lpk
debug1: match: OpenSSH_6.8 NetBSD_Secure_Shell-20150403-hpn13v14-lpk pat OpenSSH* compat 0x04000000
debug1: Authenticating to plug.duskware.de:22 as 'martin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256%libssh.org@localhost
debug1: kex: host key algorithm: ecdsa-sha2-nistp521
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305%openssh.com@localhost'
debug1: kex: server->client cipher: chacha20-poly1305%openssh.com@localhost MAC: <implicit> compression: none
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305%openssh.com@localhost'
debug1: kex: client->server cipher: chacha20-poly1305%openssh.com@localhost MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
ssh_dispatch_run_fatal: Connection to 192.168.150.188 port 22: invalid elliptic curve value
This is from a sparc64 machine to a evbarm 7.2 machine. The same connection
worked fine with the older openssl before last weeks update.
A simple workaround (I guess) will be disabling all eliptic cure things
on the sshd on the remote (too slow anyway). I had to do that on older i386
machines too, where the handshake would take a few minutes otherwise.
>How-To-Repeat:
s/a
>Fix:
n/a
Home |
Main Index |
Thread Index |
Old Index