ssh GSSAPI rekey failure

Bug #1608965 reported by Match on 2016-08-02
36
This bug affects 7 people
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Medium
Unassigned
Xenial
Medium
Unassigned
Yakkety
Medium
Unassigned

Bug Description

If I have ssh set up using GSSAPI with rekeying enabled, then the connection fails on rekey, and tries to do host-based verification 'mid-session'.

Steps to reproduce:

$ ssh -vvv server.example.com
<snip...>
debug1: Authenticating to ssh.example.com:22 as 'user'
<snip...>
debug2: local client KEXINIT proposal
debug2: KEX algorithms: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==,<email address hidden>,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c
<snip...>
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,<email address hidden>,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
<snip...>
Last login: Tue Aug 02 10:47:20 2016 from foo

# Then do 'kinit' on the client to get a new ticket...

debug1: need rekeying
debug1: SSH2_MSG_KEXINIT sent
debug1: rekeying in progress
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: <email address hidden>,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: host key algorithms: <email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,null
[...]
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,<email address hidden>,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
[...]
debug1: kex: algorithm: <email address hidden>
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: <email address hidden> MAC: <implicit> compression: none
debug1: kex: client->server cipher: <email address hidden> MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: rekeying in progress
debug1: rekeying in progress
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:w7yxbCZNBX4d5EAgmCrFYa3XUpDjvWiDOw4/YOY9q8E
The authenticity of host 'server.example.com (10.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:w7yxbCZNBX4d5EAgmCrFYa3XUpDjvWiDOw4/YOY9q8E.
Are you sure you want to continue connecting (yes/no)?
Host key verification failed.

It looks like the list of KEX algorithms differs between the initial connection, and the rekeying.

This behaviour seems to occur with a client running 16.04 (openssh-client 1:7.2p2-4ubuntu1) but not on 15.10 (openssh-client 1:6.9p1-2ubuntu0.2).

ssh_config is as follows:

HashKnownHosts no
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIRenewalForcesRekey yes
GSSAPITrustDNS yes
GSSAPIKeyExchange yes
ForwardX11 yes
ForwardX11Trusted yes

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openssh (Ubuntu):
status: New → Confirmed
Björn Ramberg (bjoern-ramberg) wrote :

+1 on this and see the exact same. Also its still seen in the 16.04 openssh-client 1:7.2p2-4ubuntu2.1. Any valid workarounds on this?

It does not seem to honor "ReKeyLimit 0G 1H" in my case.

Nish Aravamudan (nacc) wrote :

I believe this was also reported to Debian as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819361. Thank you for filing this report! We might need to follow-up with the upstream openssh community to help debug this.

Changed in openssh (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → Medium
Rene Jensen (rene21114) wrote :

Still a problem the rekeying on 16.04 using openssh 7.2p2-4. Tried to install 7.3p1-1 on a 16.04 exact same problem. Scp and sftp stalls at aroung 1G when rekeying and setting RekeyLimit in either ssh_config or .ssh/config does not have any affect on rekeying.

Any news on handling this bug?

Robie Basak (racb) wrote :

> Any news on handling this bug?

Sorry, this is deep in the backlog and I don't expect Ubuntu developers to look into this any time soon on a volunteer basis.

I suggest that you try the latest upstream openssh release, and if it is still an issue there, then raise the bug upstream if it hasn't been reported already.

If it is fixed in the latest upstream release, then if you could identify the fix then we can do something about it in Ubuntu.

Harald (habazut) wrote :

I submitted a patch. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819361

Patch inline:
-----------------------------------------------------------------------------------------
--- sshconnect2.c.orig 2017-01-04 19:47:10.000000000 +0100
+++ sshconnect2.c 2017-01-05 04:13:08.977425272 +0100
@@ -222,7 +222,6 @@
                        orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
                        xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
                            "%s,null", orig);
- free(gss);
                }
        }
 #endif
@@ -273,6 +272,16 @@
        /* remove ext-info from the KEX proposals for rekeying */
        myproposal[PROPOSAL_KEX_ALGS] =
            compat_kex_proposal(options.kex_algorithms);
+#ifdef GSSAPI
+ /* repair myproposal after it was crumpled by the */
+ /* ext-info removal above */
+ if (gss) {
+ orig = myproposal[PROPOSAL_KEX_ALGS];
+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
+ "%s,%s", gss, orig);
+ free(gss);
+ }
+#endif
        if ((r = kex_prop2buf(kex->my, myproposal)) != 0)
                fatal("kex_prop2buf: %s", ssh_err(r));

-----------------------------------------------------------------------------------------
This patch should be merged with gssapi.patch (for obvious reasons).

Harald.

Harald (habazut) wrote :

> It does not seem to honor "ReKeyLimit 0G 1H" in my case.

Have you tried "RekeyLimit 0" on _both_ ends?

Harald.

Colin Watson (cjwatson) wrote :

I've applied this patch to Debian unstable (thanks!), so it'll be in Ubuntu 17.04. I'd be happy to help somebody issue stable updates for 16.04 and 16.10, but am unlikely to have time to do that myself.

Changed in openssh (Ubuntu Xenial):
status: New → Triaged
importance: Undecided → Medium
Changed in openssh (Ubuntu Yakkety):
status: New → Triaged
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:7.4p1-6

---------------
openssh (1:7.4p1-6) unstable; urgency=medium

  * Remove temporary file on exit from postinst (closes: #850275).
  * Remove LOGIN_PROGRAM and LOGIN_NO_ENDOPT definitions, since UseLogin is
    gone.
  * Document sshd_config changes that may be needed following the removal of
    protocol 1 support from sshd (closes: #851573).
  * Remove ssh_host_dsa_key from HostKey default (closes: #850614).
  * Fix rekeying failure with GSSAPI key exchange (thanks, Harald Barth;
    closes: #819361, LP: #1608965).

 -- Colin Watson <email address hidden> Mon, 16 Jan 2017 15:11:10 +0000

Changed in openssh (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.