ssh: 3.4p1-2 fails to install saying "cipher_encrypt: bad plaintext length 337"

Automatically imported from Debian bug report #151743 http://bugs.debian.org/151743

Message-Id: <email address hidden>
Date: Wed, 03 Jul 2002 13:15:32 +1000
From: "Martin Pool" <email address hidden>
To: "Debian Bug Tracking System" <email address hidden>
Subject: ssh: 3.4p1-2 fails to install saying "cipher_encrypt: bad plaintext length 337"

Package: ssh
Version: 1:3.4p1-2
Severity: grave
Justification: renders package unusable

When I try to install 3.4p1-2 via apt, I get this:

Reading Package Lists... Done
Building Dependency Tree... Done
Sorry, ssh is already the newest version.
0 packages upgraded, 0 newly installed, 0 to remove and 61 not upgraded.
2 packages not fully installed or removed.
Need to get 0B of archives. After unpacking 0B will be used.
Setting up ssh (3.4p1-2) ...
cipher_encrypt: bad plaintext length 337
dpkg: error processing ssh (--configure):
 subprocess post-installation script returned error exit status 1
dpkg: dependency problems prevent configuration of ssh-askpass-gnome:
 ssh-askpass-gnome depends on ssh (>= 1:1.2pre7-4); however:
  Package ssh is not configured yet.
dpkg: error processing ssh-askpass-gnome (--configure):
 dependency problems - leaving unconfigured
Errors were encountered while processing:
 ssh
 ssh-askpass-gnome
E: Sub-process /usr/bin/dpkg returned an error code (1)

Running strace on the post-installation script shows that the message
comes from execution of this command:

execve("/usr/bin/ssh-keygen", ["ssh-keygen", "-p", "-N", "", "-f", "/etc/ssh/ssh_host_key"], [/* 44 vars */])

just after it tries to read /etc/ssh/ssh_host_key. Running that
command from the command line reproduces the same error.

It seems that this command is called from check_idea_key() in
ssh.postinst.

If I move the v1 host key out of the way, then postinst does not run
this command, and installation proceeds without error.

My SSH1 key was working perfectly well with previous versions
(unstable ~3 days ago) as far as I could tell.

It seems that this bug can leave ssh half-configured, which is
obviously a potentially severe problem for machines with only ssh
access.

I still have the keyfile in case you want it. It identifies itself as
"SSH PRIVATE KEY FILE FORMAT 1.1".

Cheers,
--
Martin

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux anomic 2.4.18 #55 Mon Apr 29 12:28:16 WST 2002 i686
Locale: LANG=C, LC_CTYPE=

Versions of packages ssh depends on:
ii adduser 3.47 Add and remove users and groups
ii debconf 1.1.14 Debian configuration management sy
ii libc6 2.2.5-7 GNU C Library: Shared libraries an
ii libpam-modules 0.72-35 Pluggable Authentication Modules f
ii libpam0g 0.72-35 Pluggable Authentication Modules l
ii libssl0.9.6 0.9.6d-1 SSL shared libraries
ii libwrap0 7.6-9 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.1.4-1 compression library - runtime

-- debconf information:
* ssh/ssh2_keys_merged:
  ssh/new_config: true
* ssh/rootlogin_warning:
  ssh/insecure_rshd:
* ssh/privsep_tell:
* ssh/forward_warning:
  ssh/ancient_version:
  ssh/pro...

Message-Id: <email address hidden>
Date: Wed, 03 Jul 2002 13:37:03 +0100
From: Jonathan Amery <email address hidden>
To: <email address hidden>
Subject: Can't verify this :( [was: ssh: 3.4p1-2 fails to install saying "cipher_encrypt: bad
 plaintext length 337"]

 Right, I've just created a new `old' host-key, and it converts
properly with that command, so I can't replicate this.

 It might help if you sent your host-key, but bear in mind that this
would allow anyone with that host-key to perform a man-in-the-middle
attack if the client doesn't know that you have changed host-key.

 Jonathan.

Message-ID: <email address hidden>
Date: Wed, 3 Jul 2002 23:28:25 +1000
From: Martin Pool <email address hidden>
To: Jonathan Amery <email address hidden>,
 <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#151743: Can't verify this :( [was: ssh: 3.4p1-2 fails to install saying
 "cipher_encrypt: bad plaintext length 337"]

On 3 Jul 2002, Jonathan Amery <email address hidden> wrote:
>
> Right, I've just created a new `old' host-key, and it converts
> properly with that command, so I can't replicate this.
>
> It might help if you sent your host-key, but bear in mind that this
> would allow anyone with that host-key to perform a man-in-the-middle
> attack if the client doesn't know that you have changed host-key.

I'll make sure no machine still has the corresponding public key, and
then send it through to you. Shall I just send it to you as an email
attachment?

--
Martin

Message-Id: <email address hidden>
Date: Tue, 16 Jul 2002 02:08:14 +0100
From: Jonathan Amery <email address hidden>
To: Martin Pool <email address hidden>, <email address hidden>
Subject: Re: "bad plaintext length" (was Re: Bug#151743: Can't verify this :( [was: ssh: 3.4p1-2
 fails to install saying "cipher_encrypt: bad plaintext length 337"])

> On 4 Jul 2002, Jonathan Amery <email address hidden> wrote:
> > You said:
> > > I'll make sure no machine still has the corresponding public key, and
> > > then send it through to you. Shall I just send it to you as an email
> > > attachment?
> >
> > Yes, that should be fine.
>
> OK, here they are. On my machine, I get:
>
> > mbp/2 sshkey-danger$ ssh-keygen -p -f ssh_host_key
> > cipher_encrypt: bad plaintext length 337
> > mbp/2 sshkey-danger$ ssh -V
> > OpenSSH_3.4p1 Debian 1:3.4p1-2, SSH protocols 1.5/2.0, OpenSSL 0x0090604f
>
> The key was generated with Debian's version of OpenSSH a few months
> ago. It was apparently working properly (i.e. could log in over
> sshv1) until the 3.4 upgrade.
>
 Hmm, I tried this on a stable machine here, and got the same error:

allison.empire.pick.ucam.org:~/ # [02/07/16.02:06:12] $
: pts/6 bash[4621] ; ssh-keygen -p -N '' -f key1
cipher_decrypt: bad ciphertext length 337
allison.empire.pick.ucam.org:~/ # [02/07/16.02:06:16] $
: pts/6 bash[4622] ; dpkg --list ssh
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii ssh 1.2.3-9.4 Secure rlogin/rsh/rcp replacement (OpenSSH)

 Do you have an extant backup of the host key from before the upgrade?
I fear that it might have got corrupted somewhere.

 Jonathan.

Message-ID: <email address hidden>
Date: Sat, 26 Oct 2002 19:32:11 +0100
From: Colin Watson <email address hidden>
To: Jonathan Amery <email address hidden>
Cc: Martin Pool <email address hidden>, <email address hidden>,
 <email address hidden>
Subject: Re: "bad plaintext length" (was Re: Bug#151743: Can't verify this :( [was: ssh: 3.4p1-2
 fails to install saying "cipher_encrypt: bad plaintext length 337"])

severity 151743 important
thanks

On Tue, Jul 16, 2002 at 02:08:14AM +0100, Jonathan Amery wrote:
> Hmm, I tried this on a stable machine here, and got the same error:
>
> allison.empire.pick.ucam.org:~/ # [02/07/16.02:06:12] $
> : pts/6 bash[4621] ; ssh-keygen -p -N '' -f key1
> cipher_decrypt: bad ciphertext length 337
> allison.empire.pick.ucam.org:~/ # [02/07/16.02:06:16] $
> : pts/6 bash[4622] ; dpkg --list ssh
> Desired=Unknown/Install/Remove/Purge/Hold
> | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
> |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
> ||/ Name Version Description
> +++-==============-==============-============================================
> ii ssh 1.2.3-9.4 Secure rlogin/rsh/rcp replacement (OpenSSH)
>
> Do you have an extant backup of the host key from before the upgrade?
> I fear that it might have got corrupted somewhere.

While this is obviously a nasty bug, it doesn't seem to be having
widespread effect, so I'm downgrading it.

Perhaps one thing that would help would be if ssh's postinst backed up
host keys before attempting to edit them?

Regards,

--
Colin Watson [<email address hidden>]

Message-ID: <email address hidden>
Date: Tue, 19 Nov 2002 17:11:13 -0800
From: Martin Pool <email address hidden>
To: Colin Watson <email address hidden>
Cc: Jonathan Amery <email address hidden>,
 <email address hidden>
Subject: Re: "bad plaintext length" (was Re: Bug#151743: Can't verify this :( [was: ssh: 3.4p1-2
 fails to install saying "cipher_encrypt: bad plaintext length 337"])

On 26 Oct 2002, Colin Watson <email address hidden> wrote:

> On Tue, Jul 16, 2002 at 02:08:14AM +0100, Jonathan Amery wrote:
> > Hmm, I tried this on a stable machine here, and got the same error:
> >
> > allison.empire.pick.ucam.org:~/ # [02/07/16.02:06:12] $
> > : pts/6 bash[4621] ; ssh-keygen -p -N '' -f key1
> > cipher_decrypt: bad ciphertext length 337
> > allison.empire.pick.ucam.org:~/ # [02/07/16.02:06:16] $
> > : pts/6 bash[4622] ; dpkg --list ssh
> > Desired=Unknown/Install/Remove/Purge/Hold
> > | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
> > |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
> > ||/ Name Version Description
> > +++-==============-==============-============================================
> > ii ssh 1.2.3-9.4 Secure rlogin/rsh/rcp replacement (OpenSSH)
> >
> > Do you have an extant backup of the host key from before the upgrade?
> > I fear that it might have got corrupted somewhere.
>
> While this is obviously a nasty bug, it doesn't seem to be having
> widespread effect, so I'm downgrading it.

I haven't seen the problem again.

> Perhaps one thing that would help would be if ssh's postinst backed up
> host keys before attempting to edit them?

That seems like a very sensible idea to me.

Perhaps make them 0400 afterwards, and perhaps back them up in a way
that would protect against repeated broken attempts to upgrade.
(e.g. move to "host_key.$TIMESTAMP~")

--
Martin

Message-Id: <email address hidden>
Date: Sun, 2 Mar 2003 17:03:56 +0100
From: Hendrik Naumann <email address hidden>
To: <email address hidden>
Subject: Also happend here

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

I have an uptodate woodybox here. Starting ssh (I dont need the
daemon verry often) resulted in an error

cipher_encrypt: bad plaintext length 338

I read your bugreport and looked at the ssh_keys. I found that some
weeks ago (5.th Feb) all keys were backed up. The only difference
between the two versions are that the hostname (root@foo to root@bar)
changed. And this is right, because I changed the hostname of the
machine some time ago.

The only thing I can not reconstruct, is which program did the
changes to the key-files.

Using the backup versions solved my problem.

Hendrik
- --
PGP ID 65C92061
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+Yit0IfCsAmXJIGERAqIsAJ0Ubnff0RN4u55WEICNgZI3GuK92gCeJked
VzzKG1PNBSa2YtsLR5QXTO0=
=LUQf
-----END PGP SIGNATURE-----

reassign as discussed on #irc

I think this was the same as #312312, and is therefore now fixed.

openssh (1:4.1p1-7) unstable; urgency=low

  * Do the IDEA host key check on a temporary file to avoid altering
    /etc/ssh/ssh_host_key itself (closes: #312312).
  * Work around the ssh-askpass alternative somehow ending up in manual mode
    pointing to the obsolete /usr/lib/ssh/gnome-ssh-askpass.
  * Add GNU/kFreeBSD support (thanks, Aurelien Jarno; closes: #318113).
  * Fix XSIish uses of 'test' in openssh-server.preinst.
  * Policy version 3.6.2: no changes required.

 -- Colin Watson <email address hidden> Fri, 2 Sep 2005 16:18:11 +0100

Message-ID: <email address hidden>
Date: Fri, 9 Sep 2005 15:28:39 +0100
From: Colin Watson <email address hidden>
To: <email address hidden>
Cc: Jonathan Amery <email address hidden>
Subject: Re: "bad plaintext length" (was Re: Bug#151743: Can't verify this :( [was: ssh: 3.4p1-2
 fails to install saying "cipher_encrypt: bad plaintext length 337"])

Source: openssh
Source-Version: 1:4.1p1-7

On Tue, Nov 19, 2002 at 05:11:13PM -0800, Martin Pool wrote:
> On 26 Oct 2002, Colin Watson <email address hidden> wrote:
> > On Tue, Jul 16, 2002 at 02:08:14AM +0100, Jonathan Amery wrote:
> > > Do you have an extant backup of the host key from before the upgrade?
> > > I fear that it might have got corrupted somewhere.
> >
> > While this is obviously a nasty bug, it doesn't seem to be having
> > widespread effect, so I'm downgrading it.
>
> I haven't seen the problem again.
>
> > Perhaps one thing that would help would be if ssh's postinst backed up
> > host keys before attempting to edit them?
>
> That seems like a very sensible idea to me.
>
> Perhaps make them 0400 afterwards, and perhaps back them up in a way
> that would protect against repeated broken attempts to upgrade.
> (e.g. move to "host_key.$TIMESTAMP~")

I think in fact this was the same bug as #312312, and is therefore now
(belatedly) fixed:

openssh (1:4.1p1-7) unstable; urgency=low

  * Do the IDEA host key check on a temporary file to avoid altering
    /etc/ssh/ssh_host_key itself (closes: #312312).
  * Work around the ssh-askpass alternative somehow ending up in manual mode
    pointing to the obsolete /usr/lib/ssh/gnome-ssh-askpass.
  * Add GNU/kFreeBSD support (thanks, Aurelien Jarno; closes: #318113).
  * Fix XSIish uses of 'test' in openssh-server.preinst.
  * Policy version 3.6.2: no changes required.

 -- Colin Watson <email address hidden> Fri, 2 Sep 2005 16:18:11 +0100

Thanks,

--
Colin Watson [<email address hidden>]