bad bignum encoding for curve25519-sha256 at libssh.org

Bug #1310781 reported by Colin Watson on 2014-04-21
22
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
High
Colin Watson
Trusty
High
Colin Watson

Bug Description

[Impact] Occasional key exchange failure with ED25519.
[Test Case] I don't have a clear one, but perhaps attempting lots of connections to a fixed server would do it.
[Regression Potential] We should test with an unpatched server to make sure that it properly falls back to skipping that key exchange method.

There's an occasional (one in 512 or so) key exchange failure in the curve25519-sha256 key exchange method, which affects OpenSSH 6.5 and 6.6. Upstream gives more details here and has recommended that distributors apply this patch:

  https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032494.html

We should issue this as an update for trusty.

Colin Watson (cjwatson) on 2014-04-21
Changed in openssh (Ubuntu):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Colin Watson (cjwatson)
Colin Watson (cjwatson) wrote :

openssh (1:6.6p1-4) unstable; urgency=medium

  * Debconf translations:
    - Spanish (thanks, Matías Bellone; closes: #744867).
  * Apply upstream-recommended patch to fix bignum encoding for
    <email address hidden>, fixing occasional key exchange failures.

 -- Colin Watson <email address hidden> Mon, 21 Apr 2014 21:29:53 +0100

Changed in openssh (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Colin Watson (cjwatson)
milestone: none → ubuntu-14.04.1
Changed in openssh (Ubuntu):
status: Triaged → Fix Released
Changed in openssh (Ubuntu Trusty):
status: Triaged → In Progress
Colin Watson (cjwatson) on 2014-05-02
description: updated
OmegaPhil (omegaphil) wrote :

I've just come across a knock on effect of this bug when configuring the Ubuntu SSH server for <email address hidden> key exchange only, and using the latest Debian package openssh-client to connect.

Because Ubuntu's SSH server version doesnt match 6.6.1, the Debian SSH client disables <email address hidden> completely, getting rid of the (presumably) most secure algorithm available:

==========================================================================

debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Debian-4
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6p1 Ubuntu-2ubuntu1
debug1: match: OpenSSH_6.6p1 Ubuntu-2ubuntu1 pat OpenSSH_6.5*,OpenSSH_6.6* compat 0x14000000
...
debug2: compat_kex_proposal: original KEX proposal: <email address hidden>
debug2: Compat: skipping algorithm "<email address hidden>"
debug2: compat_kex_proposal: compat KEX proposal:
No supported key exchange algorithms found

==========================================================================

The compat value being hit is in compat.c:100.

Hello Colin, or anyone else affected,

Accepted openssh into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/openssh/1:6.6p1-2ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in openssh (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed
OmegaPhil (omegaphil) wrote :

Sorry for the delay - I have enabled proposed and can confirm forced <email address hidden> works now :)

Simon Déziel (sdeziel) on 2014-05-14
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:6.6p1-2ubuntu2

---------------
openssh (1:6.6p1-2ubuntu2) trusty; urgency=medium

  * Apply upstream-recommended patch to fix bignum encoding for
    <email address hidden>, fixing occasional key exchange failures
    (LP: #1310781).
  * Force ssh-agent Upstart job to use sh syntax regardless of the user's
    shell (thanks, Steffen Stempel; LP: #1312928).
 -- Colin Watson <email address hidden> Fri, 02 May 2014 09:42:23 +0100

Changed in openssh (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for openssh has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers