Bug#819361: openssh-client: ssh/scp rekey fails when using GSSAPI KEX

To: submit@bugs.debian.org
Subject: Bug#819361: openssh-client: ssh/scp rekey fails when using GSSAPI KEX
From: Peter Gille <gille.peter@gmail.com>
Date: Sun, 27 Mar 2016 17:11:43 +0200
Message-id: <[🔎] 87vb48gdlc.fsf@wintermute.idem.me>
Reply-to: Peter Gille <gille.peter@gmail.com>, 819361@bugs.debian.org

Package: openssh-client
Version: 1:7.2p2-1
Severity: normal

Dear Maintainer,

I get failures during rekey when using ssh with kerberos authentication
and GSSAPI key-exchange. This can be noticed in long-running ssh
sessions or when doing large scp transfers (or triggered manually in the
ssh client, using the ~R escape sequence).

As far as I can make out the ssh client offers a different set of
key-exchange algorithms on initial connection and when doing the
rekeying. Here is an example output:

-------
$ ssh -vvv foo.example.com
[...]
debug1: Authenticating to foo.example.com:22 as 'user'
[...]
debug2: local client KEXINIT proposal
debug2: KEX algorithms: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c
[...]
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
[...]
Last login: Fri Mar 25 09:56:20 2016 from foo
foo% echo "now sending rekey request with ~R"
now sending rekey request with ~R
foo% debug1: need rekeying
debug1: SSH2_MSG_KEXINIT sent
debug1: rekeying in progress
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,null
[...]
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
[...]
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: rekeying in progress
debug1: rekeying in progress
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:w7yxbCZNBwQ0S0AgmCrFYa3XUpDjvWiDOw4/YOY9q8E
The authenticity of host 'foo.example.com (10.0.1.2)' can't be established.
                                                                                ECDSA key fingerprint is SHA256:w7yxbCZNBwQ0S0AgmCrFYa3XUpDjvWiDOw4/YOY9q8E.
               Are you sure you want to continue connecting (yes/no)? 
                                                                      Host key verification failed.
-------

So it appears that the client does not see the gss-* methods but the
server still does.

/ Peter


-- System Information:
Debian Release: stretch/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory
UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-client depends on:
ii  adduser           3.114
ii  dpkg              1.18.4
ii  libc6             2.22-3
ii  libedit2          3.1-20150325-1+b1
ii  libgssapi-krb5-2  1.13.2+dfsg-5
ii  libselinux1       2.4-3+b1
ii  libssl1.0.2       1.0.2g-1
ii  passwd            1:4.2-3.1
ii  zlib1g            1:1.2.8.dfsg-2+b1

Versions of packages openssh-client recommends:
ii  xauth  1:1.0.9-1

Versions of packages openssh-client suggests:
pn  keychain      <none>
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- debconf information:

Reply to:

Follow-Ups:
- Bug#819361: openssh-client: ssh/scp rekey fails when using GSSAPI KEX
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Bug#819213: Wrong homepage for OpenSSH packages
Next by Date: Bug#819361: openssh-client: ssh/scp rekey fails when using GSSAPI KEX
Previous by thread: Bug#819213: Wrong homepage for OpenSSH packages
Next by thread: Bug#819361: openssh-client: ssh/scp rekey fails when using GSSAPI KEX
Index(es):
- Date
- Thread